Permissions
Understanding access control and user rights in LYNKS through granular role-based permissions and permission inheritance
Introduction
LYNKS implements a comprehensive permission system that controls what users can see and do within the platform. The permission framework provides granular access control through role-based access control (RBAC), allowing administrators to precisely define user rights based on their responsibilities, while maintaining strict data isolation between tenants.
Permissions in LYNKS control access at multiple levels: features, accounts, payment categories, currencies, and counterparties. Users can receive permissions directly or inherit them through membership in user groups. This flexible approach ensures the principle of least privilege while supporting complex organizational structures and workflows.
For information about user and group management, see User & Groups - User management and access configuration.
Permission system overview
LYNKS uses a role-based access control (RBAC) model that provides granular control over user access to platform features and data.
Role-based access control (RBAC)
The LYNKS platform encompasses a versatile role-based access control setup allowing granular definition of access rights and roles for platform features and processes. Administrators can define custom permission sets tailored to each organization's specific roles and responsibilities.
The RBAC framework serves three primary purposes:
- Data access control - Preventing users from accessing data they should not see, allowing users to focus on their specific tasks
- Interface optimization - Providing role-appropriate dashboards and data displays (e.g., CFO overview vs. payment entry interface)
- Interface simplification - De-cluttering interfaces for users with limited roles (e.g., approvers who only sign transactions)
Granular permission scoping
Permissions in LYNKS can be scoped to control access at multiple dimensions:
| Scope Type | Description | Example Use Case |
|---|---|---|
| Permission type | Specific action or feature access | PAYMENT_CREATE, COUNTERPARTY_ACCOUNT_READ, DASHBOARD_READ |
| Account groups | Limit access to specific sets of accounts | Treasury user accesses only operating accounts, not investment accounts |
| Accounts | Restrict to individual ordering party accounts | Regional manager accesses only accounts for their region |
| Payment category groups* | Control which payment types users can process | Finance team accesses payroll and supplier payment categories |
| Payment categories | Restrict to individual payment categories | Payroll clerk can only create salary payments |
| Currency groups* | Limit to specific sets of currencies | Regional team accesses currencies relevant to their markets |
| Currencies | Restrict to individual transaction currencies | User restricted to EUR payments only |
| Counterparty groups | Limit visibility to specific sets of beneficiaries | Department sees only counterparties in their assigned group |
| Counterparties | Restrict to individual beneficiaries | External user sees only counterparties relevant to their scope |
*Payment category groups and currency groups are only configurable via the backend and are not available in the user interface.
Permission inheritance
Users can receive permissions through two methods:
- Direct assignment - Permissions granted explicitly to individual users
- Group membership - Permissions inherited from user groups
When a user belongs to a group, they automatically inherit all permissions granted to that group. The "Granted via" parameter in the user interface identifies whether a permission was assigned directly or inherited from group membership.
When a user has permissions from both direct assignment and group membership, the more expansive permissions prevail. This ensures users have all necessary access while maintaining flexibility in permission management.
Permission types and categories
LYNKS provides a comprehensive set of permissions organized by functional area. Permissions control both read access (viewing data) and write access (creating, editing, or deleting data).
Payment permissions
Control access to credit transfers, standing orders, and payment workflows.
| Permission | Description |
|---|---|
PAYMENT_READ | View payments and payment details, including audit information |
PAYMENT_CREATE | Create and upload payments in draft status; manage payment groups |
PAYMENT_APPROVE | Submit draft payments for authorization |
PAYMENT_AUTHORISE | Sign or reject payments (signatory right) |
PAYMENT_CANCEL | Cancel payments before bank submission |
PAYMENT_CANCEL_DRAFT | Cancel payments in draft status only |
PAYMENT_SEND_TO_BANK | Manually send authorized payments to the bank |
PAYMENT_DOCUMENT_ATTACH | Attach, edit, or delete documents on payments |
PAYMENT_SEND_REMINDER | Send reminder notifications to signatories |
PAYMENT_MANUAL_CHANGE_STATUS | Manually mark payments as executed or rejected |
PAYMENT_REPORT_READ | Generate and download payment reports |
PAYMENT_AUDIT_NOTIFICATIONS | Receive audit notifications for payment monitoring |
Counterparty permissions
Control access to beneficiary and counterparty management.
| Permission | Description |
|---|---|
COUNTERPARTY_ACCOUNT_READ | View counterparty list and details |
COUNTERPARTY_ACCOUNT_WRITE | Create, edit, and resubmit counterparties |
COUNTERPARTY_ACCOUNT_AUTHORISE | Approve or reject counterparty changes |
COUNTERPARTY_ACCOUNT_DEACTIVATE | Disable counterparties |
COUNTERPARTY_ACCOUNT_SKIP_4EYES | Skip approval process for counterparty changes |
BLACKLISTED_ACCOUNT_READ | View blacklisted accounts |
BLACKLISTED_ACCOUNT_WRITE | Add, edit, or delete blacklisted accounts |
Account permissions
Control access to ordering party accounts, balances, and statements.
| Permission | Description |
|---|---|
ORDERING_PARTY_ACCOUNT_READ | View accounts list and account details |
ORDERING_PARTY_ACCOUNT_WRITE | Update account details and properties |
ORDERING_PARTY_ACCOUNT_CREATE | Create ordering party accounts via API |
ORDERING_PARTY_BALANCE_READ | View account balance information and forecasts |
ORDERING_PARTY_STATEMENT_READ | Access transaction history and bank statements |
Direct debit permissions
Control access to SEPA Direct Debit functionality.
| Permission | Description |
|---|---|
DIRECT_DEBIT_READ | View direct debit batches and details |
DIRECT_DEBIT_CREATE | Create direct debit collections via API |
DIRECT_DEBIT_AUTHORISE | Sign or reject direct debit batches |
DIRECT_DEBIT_CANCEL | Cancel direct debit batches before bank submission |
DIRECT_DEBIT_SEND_TO_BANK | Manually send direct debits to the bank |
DIRECT_DEBIT_SKIP_4EYES | Create direct debits without approval requirement |
Cash concentration permissions
Control access to cash pooling and automated liquidity management.
| Permission | Description |
|---|---|
CASH_CONCENTRATION_READ | View cash concentration automation rules |
CASH_CONCENTRATION_DRAFT | Create and edit draft automation rules |
CASH_CONCENTRATION_WRITE | Create, edit, cancel, or pause automation rules |
CASH_CONCENTRATION_SIGN | Authorize, activate, or reject automation rules |
Risk management and KYC permissions
Control access to compliance and screening features.
| Permission | Description |
|---|---|
KYC_SCREENING_READ | View KYC screening results (cannot resolve cases) |
KYC_SCREENING_WRITE | Perform screenings, save cases, and resolve hits |
KYC_RISK_LOG_READ | View risk level details and compliance logs |
KYC_RISK_LOG_WRITE | Update counterparty risk levels and provide evidence |
Standing order permissions
Control access to recurring payment setup and management.
| Permission | Description |
|---|---|
STANDING_ORDER_READ | View standing orders list and details |
STANDING_ORDER_WRITE | Create and cancel standing orders |
Tenant settings permissions
Control access to administrative configuration settings.
| Permission | Description |
|---|---|
TENANT_SETTINGS_READ | View tenant settings (accounts, signatory rules, payment categories, currencies, counterparty monitoring) |
TENANT_SETTINGS_WRITE | Modify all tenant settings including users, groups, accounts, signatory rules, payment categories, currencies, and counterparty monitoring |
TENANT_SETTINGS_APPROVE | Approve or discard pending tenant settings changes (when approval feature is enabled) |
USER_AND_GROUP_READ | Download user profiles report |
Other permissions
Additional platform-wide permissions.
| Permission | Description |
|---|---|
DASHBOARD_READ | Access the dashboard overview |
INVOICE_READ | View invoices and e-invoicing data |
INVOICE_WRITE | Create and update invoices |
SECURITIES_READ | Access securities accounts (when feature flag enabled) |
BATCH_BOOKING_TRANSACTIONS_READ | View batch booking details and child transactions |
USER_NOTIFICATION_PREFERENCE | Access user notification preferences menu |
Configuring permissions
Permissions are assigned to users and user groups through the tenant settings interface. Administrators with appropriate rights can grant, modify, or revoke permissions.
Assigning permissions to users
Permissions can be granted directly to individual users:
- Navigate to Settings > Users in the LYNKS interface
- Select the user or click New user to create a new user
- In the Access and Permissions section, add or remove permissions
- Select the permission type from the available list
- Configure scope parameters if applicable (accounts, payment categories, currencies, counterparties)
- Save the changes (approval may be required if tenant settings approval is enabled)
Users with both direct permissions and inherited group permissions will have the more expansive permissions applied.
Assigning permissions to user groups
Permissions can be granted to user groups, with all members inheriting the permissions:
- Navigate to Settings > Users and select the User Groups tab
- Select an existing group or create a new user group
- In the Access and Permissions section, configure permissions for the group
- Add or remove permissions as needed
- All current and future members of the group will inherit these permissions
User group permissions enable efficient management of permissions for users with similar roles, reducing administrative overhead and ensuring consistency.
Permission scoping parameters
When assigning permissions, administrators can restrict access using scoping parameters:
Account groups and accounts:
- Limit permission to specific sets of accounts or individual accounts
- Users can only access data and perform actions on accounts within their scope
Payment category groups and payment categories:
- Restrict users to create or approve only payments in specific categories or category groups
- Supports organizational segregation (e.g., payroll vs. supplier payments)
- Note: Payment category groups are only configurable via the backend
Currency groups and currencies:
- Limit transaction access to specific currencies or currency groups
- Useful for regional restrictions or compliance requirements
- Note: Currency groups are only configurable via the backend
Counterparty groups and counterparties:
- Restrict visibility to specific counterparties or counterparty groups
- Enables external users to see only relevant beneficiaries
- Counterparty groups allow organizing beneficiaries into logical sets for easier permission management
Permission management best practices
Principle of least privilege
Grant users only the minimum permissions necessary to perform their job functions. Start with restrictive permissions and add access as needed rather than starting with broad access and removing it.
Role-based design
Design permission sets based on organizational roles:
- Treasury managers - Full access to accounts, payments, and reporting
- Payment creators - Create and manage draft payments, limited account visibility
- Approvers/Signatories - Authorize transactions, view pending items only
- Auditors - Read-only access with audit notification rights
- Administrators - Tenant settings management and user configuration
Using user groups effectively
Organize users into groups by role, department, or function. Assign permissions to groups rather than individual users whenever possible. This approach:
- Reduces administrative overhead
- Ensures consistency across users with similar roles
- Simplifies permission audits and compliance reviews
- Makes onboarding and offboarding more efficient
Segregation of duties (SoD)
Implement segregation of duties by ensuring critical functions require multiple users:
- Separate payment creators from payment approvers
- Different users for counterparty creation and counterparty approval
- Distinct roles for tenant settings modification and approval
The four-eyes principle in LYNKS supports SoD by requiring approval for sensitive operations.
Regular permission audits
Conduct periodic reviews of user permissions:
- Download user profiles report (available with
USER_AND_GROUP_READpermission) - Review access and permissions section in the report
- Verify users have appropriate access levels
- Remove permissions that are no longer needed
- Update user group memberships as roles change
Tenant-level isolation
LYNKS enforces strict data isolation between tenants. Each tenant operates independently with complete data separation, ensuring your organization's data remains private and secure.
Multi-tenant users
Users can belong to multiple tenants, accessing different organizations through the tenant switcher in the sidebar navigation. Each tenant has independent permission configurations:
- Permissions assigned in one tenant do not apply to other tenants
- Users may have different roles and access levels in each tenant
- Data visibility is scoped to the currently selected tenant
For more information about tenants and multi-tenancy, see Tenants & Multi-tenancy - Understanding tenant isolation, data separation, and multi-tenant access.
Permission scope per tenant
Permissions are always scoped to a single tenant:
- User permissions apply only within the tenant where they are granted
- Administrators can only manage users and permissions within their own tenant
- Cross-tenant data access is not possible
User provisioning via SCIM
LYNKS supports automated user provisioning using the SCIM 2.0 protocol, enabling centralized management of users and permissions through your identity provider (IdP).
Integration with identity providers
Supported identity providers:
- Azure AD / Entra AD
- Okta
User provisioning allows organizations to manage users centrally by integrating their external user directory directly with LYNKS. This integration automatically updates users and groups in LYNKS when making changes in your identity provider.
Provisioned users and groups
Users provisioned from an external IdP are marked in the LYNKS interface. Some user management actions are restricted for provisioned users, as their details are managed by the IdP:
- Personal details (name, email) are controlled by the IdP
- Group membership is synchronized from the IdP
- Authentication methods may be managed externally
Access and permissions can be managed either:
- Through the SCIM protocol (by adding/removing users to user groups defined in the IdP)
- Directly in LYNKS per user or user group
For detailed information about SCIM provisioning, see Automated user management via SCIM 2.0.
Related documentation
Explore these related sections to learn more about working with LYNKS:
Core Concepts:
- Platform Navigation - Detailed guide to the head-up display, table views, filters, and search functionality - Understanding the LYNKS interface and sidebar navigation
- Tenants & Multi-tenancy - Understanding tenant isolation, data separation, and multi-tenant access - Understanding tenant isolation and switching
- Feature Flags - Available features and enablement - Tenant-level feature enablement
- Approvals - How approval workflows and signature processes function - Understanding approval workflows and signatory rules
Platform Features:
- Action Center - Centralized task and approval management - Task and approval management interface
- User & Groups - User management and access configuration - User and group management in tenant settings
- Signatory Rules - Approval workflow configuration - Configuring approval workflows and signature requirements
Security & Authentication:
- Authentication Methods - Detailed setup and usage of SSO, LuxTrust, and mobile app authentication - SSO, LuxTrust, and LYNKS Mobile App authentication
- Digital Signatures - Transaction signing methods and legal validity - Transaction signing and authorization
- Compliance & Audit - Security features, audit trails, and regulatory compliance - Security features and audit trails
Support
For questions about permission configuration, user management, or access control in your LYNKS tenant, contact [email protected].
Updated 3 days ago