Access levels explained
What you'll learn
- The seven access levels in VAT Portal, from most to least privileged
- The "lower number = more power" rule
- What each level can typically do on a given resource
- How the access levels connect to sidebar visibility
- How to pick the right level when setting up a new user
The levels
VAT Portal has seven access levels, each with a name and a number.
| Number | Name | Scope |
|---|---|---|
| 1 | Root | Global (system-level) |
| 10 | Admin | Global (organization-wide) |
| 20 | CompanyAdmin | Within a company |
| 30 | AppAdmin | Per resource, per company |
| 35 | AppElevated | Per resource, per company |
| 40 | Operator | Per resource, per company |
| 50 | ReadOnly | Per resource, per company |
The rule: lower number = more power
The numbers are counter-intuitive at first. The lower the number, the more the user can do. A user at level 30 has more access than a user at level 40, not less.
This is because access checks work by comparing numbers: a task that requires "level ≤ 30" to perform means the user's level must be 30 or lower (i.e., AppAdmin or higher in the hierarchy). A Root user (1) passes every check; a ReadOnly user (50) passes very few.
Think of the number as a rank: rank 1 is first place, rank 50 is fiftieth place. First place can do everything anyone else can do.
How scope differs
The levels aren't just about how much a user can do — they also differ in where:
Global levels — Root and Admin (≤ 10)
Root and Admin have global access. The permission system doesn't track per-company or per-resource entries for them — they bypass the check entirely.
- Root (1) is the system super-admin. Typically reserved for the implementation partner or infrastructure operator.
- Admin (10) is the top-level admin for your organization. Can see every company, every user, every resource across the whole platform.
Global admins see the company switcher in the header as a dropdown of all companies in the system, not just the ones they belong to.
Scoped levels — CompanyAdmin through ReadOnly (20–50)
Levels 20 and below operate per company and per resource. A user at these levels has their access recorded as a set of entries:
"In Company A, on the
documentresource, user X has AppAdmin." "In Company A, on theuserresource, user X has ReadOnly." "In Company B, user X has no access at all."
Each entry is independent. The same user can be an AppAdmin on Documents and a ReadOnly on Users, in the same company. And they can have completely different access in a different company.
What each level typically does
The exact behavior depends on the resource — VAT Portal's internal catalog decides which tasks require which level. The pattern below is the typical one for most resources.
ReadOnly (50)
- Can view the resource: list pages, detail pages, search.
- Cannot create, edit, or delete anything.
- The resource does not appear in the sidebar for ReadOnly users. This is intentional — users with view-only access see the data when they open it (e.g., through a direct link or because they're acting on a task), but the sidebar is reserved for resources the user can actively work with.
Operator (40)
- Everything ReadOnly can do.
- Plus day-to-day task operations — e.g., approving, rejecting, delegating tasks assigned to them; filling in task fields.
- Typically cannot create, update, or delete the resource itself (a new document type, for example).
- The resource does appear in their sidebar.
AppElevated (35)
- A middle tier — above Operator but below AppAdmin.
- Used for specific tasks that need slightly more privilege than regular Operator but don't warrant full AppAdmin. The exact list depends on the resource.
- In practice, this level shows up less often than Operator or AppAdmin.
AppAdmin (30)
- Full CRUD on the resource: Create, Read, Update, Delete.
- Can manage the configuration (e.g., create new document types, add fields, configure workflows) within the resource.
- The sweet spot for most department admins who need full control of one part of the system (Document Flow, HR, etc.) without global authority.
CompanyAdmin (20)
- Effectively AppAdmin on every resource within a specific company.
- Typically includes the ability to manage users and their access within that company.
- Does not see other companies or the organization-wide controls.
- The right level for "the person who runs VAT Portal for our department / subsidiary".
Admin (10)
- Full access across the entire organization.
- Can manage users, companies, modules, and every resource in every company.
- Sees the Create Company / Manage Modules / Disable Company items in the header menu.
Root (1)
- System-level super-admin.
- Rarely used directly — typically only the VAT Portal operator or the initial deploy account has this.
Access levels and the sidebar
The sidebar in the left column shows the resources you can work with. A user's sidebar is built by the backend based on their access:
- ReadOnly access on a resource → the resource is hidden from the sidebar.
- Operator or higher access on a resource → the resource appears in the sidebar.
- Global admins (Root / Admin) → every resource appears (they bypass filtering).
This is why a newly-given ReadOnly permission doesn't make a new sidebar entry appear for the user — they have to be at Operator or higher for that. If you want a teammate to browse a section without changing things, ReadOnly is technically what you want, but remember they'll need to get there by link or from a task rather than by clicking the sidebar.
Picking the right level for a user
Some rules of thumb for new user setup:
- Will this person use Document Flow day-to-day but not configure it? → AppAdmin on specific resources isn't needed. Operator on
documentandtask_instanceis usually enough. They'll be able to create documents, respond to tasks, and see everything related. - Will this person configure Document Flow — set up document types, fields, workflows? → Give them AppAdmin on the relevant resources (
doc_type,workflow,add_field,whs_flt). - Will this person run VAT Portal for a whole company — including managing other users? → CompanyAdmin covers the whole set.
- Only organization-wide admins / IT / platform operators → Admin or Root.
When in doubt, give the least privilege that works. It's easier to grant more later than to explain why a user was wrongly able to delete things.
Common questions
I gave someone Operator on Documents but they can't create documents.
Most resources require AppAdmin (30) for create/update/delete. Operator typically only gets read and task actions. If they need to create documents, use AppAdmin. See Managing a user's access (per-company ACLs).
What's the difference between AppAdmin and AppElevated?
AppAdmin (30) covers the full CRUD set. AppElevated (35) is a narrower tier for specific privileged task actions without full configuration rights. Most teams won't need it — pick Operator or AppAdmin.
Can I make my own access level?
No — the seven levels are fixed. You configure which level a user has per resource, not new levels.
A user's Role says "Operator" but I need them to be "AppAdmin" on one thing. What do I do?
Role is the user's overall default. Their per-resource access level can differ from that default. Open their Manage Access dialog and set AppAdmin specifically for the resource where they need it. The Role stays what it was, but the per-resource entry overrides for that resource.
Is there a higher level than Root?
No. Root is the top.
Someone is Admin. Do I also need to give them per-resource permissions?
No. Admin and Root bypass per-resource checks — they have global access. Per-resource entries only apply to level 20 and below.
Why is my ReadOnly user reporting they can't find a page?
ReadOnly hides the resource from the sidebar. Give them a direct link, or upgrade them to Operator if they'll genuinely use the section on their own.