User & Access Management — Overview

What you'll learn#

• The building blocks of access in VAT Portal — users, companies, resources, access levels
• How Groups fit in (they're different from access levels)
• Where each admin task lives in the sidebar
• Which articles to read next, depending on what you're trying to do

The big picture#

Access in VAT Portal is layered. Understanding how the layers fit together makes every individual setting less mysterious.

User — an account with credentials#

Every person who uses VAT Portal has a user account with a username, password, email, and a few profile details. Accounts are per-person, not per-team — each person should have their own.

Admins create user accounts, reset passwords when needed, and can disable accounts when people leave.

Company — the scope of access#

A user belongs to one or more companies. Each company is a separate workspace: documents, fields, workflows, and HR data are all scoped to a company. When you switch companies (top-left of the header), you're moving between these scopes.

Access is set per company. The same user can be a full admin in Company A and a read-only viewer in Company B. Permissions in one company have no effect on another.

Resource — a feature or section#

A resource is a distinct feature: Documents, Approval Flows, Additional Fields, Users, Departments, and so on. The sidebar you see on the left is essentially a list of resources grouped into modules (Document Flow, Utilities, HR, Settings).

Access level — how much you can do#

For each resource in each company, a user has an access level. Access levels are ranked from most privileged to least:

Lower number means more privilege. A full explanation of each level — what someone at that level can and can't do — is in Access levels explained.

Group — a named set of users#

A group is simply a named list of users. Groups have nothing to do with access levels; they exist so workflow tasks can be assigned to "the Finance team" rather than to a specific person or position. When a task is assigned to a group, any member can claim and act on it.

Groups are managed separately under Settings → Groups.

How the pieces fit together#

User ──(belongs to)──▶ Company ──(contains)──▶ Resources
  │                       │                         │
  └───(has per-company, per-resource access level)──┘

User ──(is a member of)──▶ Group ──(referenced by)──▶ Workflow tasks

• A user signs in with their account.
• The system knows which companies that user has access to.
• Within each company, the system knows what access level the user has for each resource.
• That determines what sections show up in the sidebar and what buttons they can click on each page.
• Groups are a completely separate mechanic — they're just rosters used by workflow tasks to fan out assignments.

Where to manage each thing#

Where you go depends on what you're doing:

Managing users#

Settings → Users in the sidebar (admin only). This is where you:

• Create new user accounts
• Edit a user's profile (name, email)
• Change a user's password
• Assign a user to one or more companies
• Set a user's access level per resource, per company
• Delete a user
• Copy an existing user's setup to create a new one

See Creating a new user and the sibling articles in this section.

Managing groups#

Settings → Groups in the sidebar (admin only). Where you:

• Create a new group
• Rename or delete a group
• Add or remove users from a group

See Creating a group and Managing group members.

Managing companies#

The Header's user icon (top-right) — admin/root only — has menu items for:

• Create Company — add a new workspace
• Manage Modules — choose which modules a company has access to
• Disable Company — deactivate a company's workspace

See the Company Management section for detail.

End users vs. admins#

End users only really interact with this section in one place: changing their own password — though right now that's handled by their admin rather than self-service (see Logging in and out for the current state of password management). Everything else happens silently in the background: their account and access are what was set up for them, and they use the resulting permissions without touching this section.

Admins spend regular time here:

• Onboarding new hires (create user, assign companies, set access)
• Handling role changes (update access levels, move users between companies)
• Offboarding (disable / delete when someone leaves)
• Managing group membership as teams shift

Recommended reading order#

If you're setting up a new environment or just starting to learn this section, read in this order:

1. Access levels explained — the full breakdown of what each level (Root, Admin, AppAdmin, Operator, ReadOnly, etc.) can do. The most foundational article in this section.
2. Roles — overview — how roles relate to access levels in practice.
3. Creating a new user — the day-one admin task.
4. Assigning a user to multiple companies — when a user needs access beyond their home company.
5. Managing a user's access (per-company ACLs) — the detailed per-resource access configuration.
6. Editing a user's profile, Copying a user, Changing a user's password, Deleting a user — the remaining CRUD operations.
7. Creating a group and Managing group members — when you're ready to use group-based task assignments.

If you're looking for a specific task ("how do I give this user access to something they can't see?"), jump straight to the article whose title matches.

Common questions#