Skip to main content

User Roles and Permissions

This guide explains how access works in Fiskl: you assign each team member a preset as a starting point, then optionally fine-tune their exact permissions. It covers the seven presets, how to assign them, and how to build a custom permission set.

How Access Is Assigned​

Each team member has a set of permissions that control what they can see and do. You assign access in two steps:

  1. Pick a preset — a ready-made bundle of permissions for a common job, such as Bookkeeper or Read-only.
  2. Fine-tune if needed — adjust individual permissions in the permission grid. A member whose permissions no longer match a preset exactly is shown as Custom.

Permissions are fine-grained: most areas separate viewing (read) from changing (write), and some add further actions such as sending, deleting, or reconciling. For the full list, see the Permissions Reference.

info

Permissions also govern API access. An API key or connected app can never do more than its owner — see How Permissions Work.

The Seven Presets​

Use a preset as the starting point that best matches a person's job.

PresetWho it's forAccess in brief
OwnerThe person who owns the accountEverything, including subscription and billing. Only the Owner can end the account.
AdminPower user running day-to-day operationsEverything except subscription and billing control.
AccountantExternal professional doing your booksFull bookkeeping through period-end and tax, with reports and export. No team management, branding, integrations, or API access.
BookkeeperIn-house daily bookkeepingDay-to-day invoicing, bills, payments, and reconciliation. Can view tax setup but not change it, and cannot close periods.
Invoice OnlySales reps and office adminsClients, invoices, quotes, and recording payments received. No accounting or banking.
Expense SubmitterField employeesSubmit expenses and manage line items only.
Read-onlyAuditors, board members, due diligenceView everything and export reports. No changes anywhere.

Owner is special​

Every account has exactly one Owner, tied to the subscription. You cannot assign the Owner preset to someone else from the permission screen — instead, transfer ownership. See Inviting and Managing Users.

Build a Custom Permission Set​

When no preset fits, start from the closest one and adjust individual permissions in the grid.

To edit a member's permissions, go to Settings > Team and select the member, then open the permission grid. Select or clear individual permissions, then select Save.

  • Permissions are grouped by area, such as Invoicing, Payments, and Accounting.
  • Most areas have separate view and edit permissions, so you can grant read-only access to one area and full access to another.
  • A member with user.assign_role can grant permissions they do not hold themselves. This lets an office manager set up an external Accountant with period-end access without holding it personally.
warning

Some permissions are sensitive — for example editing bank details on invoices, changing tax rates, or managing API keys. They are flagged in the permission grid with a warning (shield) icon and ask you to confirm before granting. Grant them only when the person genuinely needs them. See the Permissions Reference for the full list.

Choose the Right Preset​

  • Needs to manage billing and the subscription → Owner (one per account).
  • Runs operations but should not control billing → Admin.
  • An outside accountant closing the books and filing tax → Accountant.
  • In-house staff doing daily books, but not period-end → Bookkeeper.
  • Raises invoices and quotes, takes payments → Invoice Only.
  • Only submits expenses from the field → Expense Submitter.
  • Should see everything but change nothing → Read-only.

Best Practices​

  • Least privilege. Start from the narrowest preset that covers the job, then add permissions only as needed.
  • Review regularly. Re-check assignments as responsibilities change.
  • Limit Owner and Admin. Keep these to a small number of trusted people.
  • Use Read-only or Accountant for outsiders. Never give external professionals Admin access.
  • Deactivate promptly. When someone leaves, remove their access the same day.