Tenant Management

User Roles & Permissions

Learn how to configure access levels for team members in bVAT. Understand the different roles, their permissions, and how to manage team access effectively.

8 min read

Introduction

bVAT uses a role-based access control (RBAC) system to manage user permissions within each tenant. Each user can have a different role in different tenants, allowing flexible access management for businesses with multiple organizations.

There are four role levels, each with specific permissions and limitations:

  • Owner - Full control and management
  • Admin - Administrative operations
  • Finance - Financial and VAT operations
  • Viewer - Read-only access

Role Details

Owner
Level 4
Full control over the tenant and all its resources

Permissions

  • Create, edit, and delete all VAT entries
  • Generate and submit VAT returns
  • Manage all tenant settings and business information
  • Invite and remove team members
  • Change user roles and permissions
  • Manage billing and subscription
  • Delete the tenant
  • Access all reports and analytics
  • Export data in any format

Limitations

  • Cannot remove themselves as owner (must transfer ownership first)
  • Cannot delete tenant if it contains critical data (contact support)

Best for: Business owners, founders, or primary administrators who need complete control

Admin
Level 3
Administrative access to manage day-to-day operations

Permissions

  • Create, edit, and delete VAT entries
  • Generate and submit VAT returns
  • Manage business settings (except billing)
  • Invite and remove team members
  • Change user roles (except owner role)
  • Access all reports and analytics
  • Export data in any format
  • View team member list and activity

Limitations

  • Cannot manage billing or subscription
  • Cannot delete the tenant
  • Cannot change owner role or remove owners
  • Cannot change their own role to owner

Best for: Operations managers, senior accountants, or trusted administrators

Finance
Level 2
Financial operations and VAT return management

Permissions

  • Create, edit, and delete VAT entries
  • Generate and submit VAT returns
  • View and export reports
  • Access analytics and dashboards
  • View business information (read-only)
  • View team member list (read-only)

Limitations

  • Cannot manage team members or user roles
  • Cannot modify business settings
  • Cannot access billing information
  • Cannot delete VAT entries after submission (in locked periods)

Best for: Accountants, bookkeepers, or finance team members who handle VAT compliance

Viewer
Level 1
Read-only access to view data and reports

Permissions

  • View VAT entries (read-only)
  • View reports and analytics
  • Export reports (limited formats)
  • View business information (read-only)
  • View team member list (read-only)

Limitations

  • Cannot create, edit, or delete any data
  • Cannot generate or submit VAT returns
  • Cannot access settings or configuration
  • Cannot invite or manage team members
  • Cannot export sensitive data

Best for: Auditors, consultants, or stakeholders who need visibility without edit access

Role Hierarchy

Roles are hierarchical, with higher-level roles inheriting permissions from lower levels:

Owner (Level 4)→ Full Control
Admin (Level 3)→ Administrative
Finance (Level 2)→ Financial Operations
Viewer (Level 1)→ Read-Only

Managing Team Members

Step-by-Step Guide
How to invite users, change roles, and manage team access

1Access Team Management

Navigate to Dashboard > Team from the main navigation menu. You must have Owner or Admin role to access this page.

2Invite a New Team Member

  • Click the "Invite User" or "+" button
  • Enter the user's email address and name
  • Select the role you want to assign (Admin, Finance, or Viewer)
  • Optionally set a temporary password (user can change it later)
  • Click "Send Invitation" to create the user account and send an invitation

3Change a User's Role

  • Find the user in the team members list
  • Click the menu icon (three dots) next to their name
  • Select "Edit Role" from the dropdown menu
  • Choose the new role from the role selector
  • Click "Save Changes" to update the role

4Remove a Team Member

  • Find the user in the team members list
  • Click the menu icon (three dots) next to their name
  • Select "Remove from Team" from the dropdown menu
  • Confirm the removal in the dialog
  • The user will lose access to this tenant immediately

Best Practices

Principle of Least Privilege

Assign the minimum level of access needed for each user to perform their job. Start with Viewer and upgrade only when necessary.

Regular Access Reviews

Periodically review team member access and remove users who no longer need access. This improves security and reduces costs.

Role Separation

Separate duties by role. For example, have Finance users create entries and Admins review and submit returns.

Owner Protection

Always maintain at least one Owner per tenant. Consider having 2-3 Owners for business continuity.

Common Issues & Troubleshooting

I can't see the Team Management page

Only Owners and Admins can access team management. If you need access, ask an Owner or Admin to upgrade your role.

I can't change a user's role to Owner

Only existing Owners can assign the Owner role. If you're an Admin, you'll need an Owner to make this change.

A user was removed but still has access

Access removal is immediate, but users may need to refresh their browser or log out and back in. If issues persist, contact support.

Can I have multiple Owners?

Yes! It's recommended to have 2-3 Owners for business continuity. All Owners have equal permissions.

What happens if I remove the last Owner?

The system prevents removing the last Owner. You must transfer ownership to another user first, or contact support for assistance.

Related Articles

Creating Tenants
Set up new business profiles
6 min read
Read
Data Isolation
Understanding tenant data separation
5 min read
Read
Bulk Operations
Managing multiple tenants efficiently
10 min read
Read
Next Steps
Continue your tenant management journey with these recommended guides
Understanding Data Isolation

Or explore other documentation: