How can we help?

Introduction to Role-Based Access Control (RBAC)

Noga Tubi
Noga Tubi
  • Updated

Torii User Roles & Permissions Guide

Torii users with the Admin role can customize the permissions for new and existing users in the Torii account.

A Role consists of:

  1. A unique name and description
  2. Scopes - The main pages & and functionalities in Torii options included in the role 
  3. Access level - The permission level enabled for this scope.

Using Roles

The role defines the information the user is exposed to and limits users' actions in Torii's console.

There are two types of roles:

Pre-defined Roles

The pre-defined roles within Torii that cannot be edited or deleted are:

  1. Admin - has full access to all scopes, including the ability to create new roles, manage members and manage API keys
  2. Read-only - can view all data but can't take any action
  3. Procurement - Access level for procurement personnel in which they can view and update financial records without being exposed to employees' attributes
    For example, suppose you assign your finance/procurement managers the procurement role. In that case, they will be exposed to the overview information like license, expenses, usage, and more but will not be able to drill down to see specific user information.mceclip1.png

Custom Roles & Scopes 

Torii users with the Admin role can create custom roles, meaning they can create new roles with custom access levels and scopes.
Note that a new permission level of "No Access" was added to some of the scopes that hold sensitive information. 

  • Users Attributes - Determines whether the user assigned to this role will be exposed to information about the employee's application usage and employee details
  • Offboarding - Determines whether the role will be able to access offboarding data and create/ edit offboarding workflows
  • Workflows -  Determines whether the role will be able to access workflows logs and create/ edit/ trigger workflows

Scope Activity
  • Update application info, state, and owner
  • Hide and unhide applications
  • Add custom applications

User Attributes 

  • User details and application usage

License & chargeback

  • Update license costs
  • Configure chargeback


  • Upload and delete expense files
  • Archive and unarchive transactions
  • Edit expense rules


  • Add, edit and delete contracts


  • Create, edit and update workflows


  • Start, stop and re-open employee offboarding
  • Update offboarding configuration


  • Connect, disconnect, and sync integrations


Update company general settings from the Settings → General tab:

  • Company name
  • Outgoing email display name
  • Displayed currency
  • User lifecycle
  • Inactivity period
  • Sign out users on being idle
  • Extension mode

Application Catalog

  • Enable and disable application catalog access
  • Configure application catalog settings

Public Views

Create and edit applications and contracts for public views.
Users will always be able to delete views that were created by them even if Public View permission is taken from them after the view was created.

Create Torii custom role (RBAC)

RBAC mechanism enables the granular admin control of access and actions.

Torii admin can create custom roles corresponding with the org saas management methodology.
These roles will have access only to the information relevant to them.

Using custom roles, you can, for example, invite a member from the legal team to Torii's admin console with permission to view all contracts but with no permission to update information or view users' data.

Only users with the Admin role can create, edit and remove custom roles

Creating Custom Access Roles

  1. From the left sidebar menu, go to Settings >> Roles >> Add role button
  2. In Role name, we recommend giving the role a unique name.
  3. In Description, provide a meaningful role description.
    This will be used later when you assign users to roles.
  4. Select the roles' relevant scopes: No access, Read, Take action.
    See Torii User Roles (Permissions Guide) for a full roles description.

Edit/ Delete Custom Access Roles

Only roles created by an admin (not pre-defined by Torii) can be edited or deleted by hovering over the role and selecting the edit/ delete icons.mceclip8.png

How to Assign a Role?

  1. Go to the Settings page
  2. Click on Team
  3. Select the user to which you want to assign the role and select the role from the dropdown listmceclip0.png

Additional Articles

Procurement Role- Permissions & Scopes

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request