Permission Matrices
AMS uses two configurable permission matrices to control what each role can do. Org owners configure these through the Settings UI — no code deployment required.
Two matrices, two scopes
| Matrix | Scope | Controls |
|---|---|---|
| System Permissions | Per organization | Org management, workspace creation, member/client/partner management, application setup |
| Application Permissions | Per workspace | What a role can do inside an application (view, edit, decide, upload) |
They are independent: a role can have CREATE_APPLICATION (system) but still be restricted to VIEW only inside individual applications (app permissions).
System Permissions
Configured at Organization Settings → Permissions. Controls org-level operations.
Default matrix
| Permission | SUPERADMIN | OWNER | ADMIN | MANAGER | MEMBER | CLIENT | DEVELOPER |
|---|---|---|---|---|---|---|---|
| MANAGE_ORG_PROFILE | ✓ | ✓ | ✓ | — | — | — | — |
| MANAGE_ORG_SETTINGS | ✓ | ✓ | ✓ | — | — | — | ✓ |
| CREATE_WORKSPACE | ✓ | ✓ | ✓ | — | — | — | — |
| MANAGE_WORKSPACES | ✓ | ✓ | ✓ | — | — | — | — |
| CREATE_TEAM | ✓ | ✓ | ✓ | — | — | — | — |
| MANAGE_TEAMS | ✓ | ✓ | ✓ | — | — | — | — |
| INVITE_MEMBERS | ✓ | ✓ | ✓ | — | — | — | — |
| MANAGE_MEMBERS | ✓ | ✓ | ✓ | — | — | — | — |
| INVITE_CLIENTS | ✓ | ✓ | ✓ | — | — | — | — |
| MANAGE_CLIENTS | ✓ | ✓ | ✓ | — | — | — | — |
| INVITE_PARTNERS | ✓ | ✓ | ✓ | — | — | — | — |
| MANAGE_PARTNERS | ✓ | ✓ | ✓ | — | — | — | — |
| CREATE_APPLICATION | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| DELETE_APPLICATION | ✓ | ✓ | ✓ | ✓ | — | — | ✓ |
| UNDERWRITE_APPLICATION | ✓ | ✓ | ✓ | ✓ | — | — | ✓ |
| VIEW_ALL_APPLICATIONS | ✓ | ✓ | ✓ | ✓ | ✓ | — | ✓ |
| MANAGE_APPLICATION_SETUP | ✓ | ✓ | ✓ | ✓ | — | — | ✓ |
| MANAGE_APPLICATION_PERMISSIONS | ✓ | ✓ | ✓ | — | — | — | ✓ |
| MANAGE_SYSTEM_PERMISSIONS | ✓ | ✓ | — | — | — | — | ✓ |
SUPERADMIN is always locked to all permissions and is not shown in the configuration UI.
What each permission controls
| Permission | What it gates |
|---|---|
| MANAGE_ORG_PROFILE | Edit org name, logo, and public-facing profile |
| MANAGE_ORG_SETTINGS | Storage connector configuration (under Connectors → Storage) |
| CREATE_WORKSPACE | Creating new workspaces |
| MANAGE_WORKSPACES | Renaming, deleting existing workspaces |
| CREATE_TEAM | Creating new teams |
| MANAGE_TEAMS | Updating team details, assigning teams to workspaces, deleting teams |
| INVITE_MEMBERS | Sending staff member invitations |
| MANAGE_MEMBERS | Changing member roles, removing members |
| INVITE_CLIENTS | Sending client invitations |
| MANAGE_CLIENTS | Updating client records, removing clients |
| INVITE_PARTNERS | Inviting partner organizations |
| MANAGE_PARTNERS | Updating or removing partner relationships |
| CREATE_APPLICATION | Submitting new applications |
| DELETE_APPLICATION | Permanently deleting applications |
| UNDERWRITE_APPLICATION | Taking underwriting actions on applications |
| VIEW_ALL_APPLICATIONS | Seeing all applications (not just own/assigned) |
| MANAGE_APPLICATION_SETUP | Creating and editing document definitions and application templates |
| MANAGE_APPLICATION_PERMISSIONS | Editing the Application Permissions matrix |
| MANAGE_SYSTEM_PERMISSIONS | Editing this System Permissions matrix |
Application Permissions
Configured at Application Setup → Roles & Permissions (per workspace). Controls what each role can do inside an application.
Default matrix
| Permission | SUPERADMIN | OWNER | ADMIN | MANAGER | MEMBER | CLIENT | DEVELOPER |
|---|---|---|---|---|---|---|---|
| VIEW | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| VIEW_DECISION | ✓ | ✓ | ✓ | ✓ | ✓ | — | ✓ |
| EDIT_INFO | ✓ | ✓ | ✓ | ✓ | — | — | ✓ |
| EDIT_APPLICANTS | ✓ | ✓ | ✓ | ✓ | — | — | ✓ |
| EDIT_APPLICANT_STATUS | ✓ | ✓ | ✓ | — | — | ✓ | — |
| UPLOAD_DOCUMENTS | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| WRITE_COMMENTS | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| MANAGE_DOCUMENTS | ✓ | ✓ | ✓ | ✓ | — | — | ✓ |
| DECIDE | ✓ | ✓ | ✓ | ✓ | — | — | ✓ |
SUPERADMIN and OWNER are always locked to all permissions. VIEW cannot be unchecked for any configurable role — every role that can access an application can at minimum see it.
What each permission controls
| Permission | What it gates |
|---|---|
| VIEW | Opening and reading the application |
| VIEW_DECISION | Seeing the current decision status and underwriting notes |
| EDIT_INFO | Changing the application title, description, and type |
| EDIT_APPLICANTS | Updating applicant roles and profile data |
| EDIT_APPLICANT_STATUS | Updating the status of an applicant within the application |
| UPLOAD_DOCUMENTS | Uploading files to document slots |
| WRITE_COMMENTS | Posting internal and external comments |
| MANAGE_DOCUMENTS | Adding, editing, or removing document slot definitions |
| DECIDE | Approving, rejecting, or transitioning the application status |
Locked vs configurable roles
Both matrices use the same concept:
- Locked (shown with a lock icon, always checked) — SUPERADMIN on both matrices; OWNER on Application Permissions. Cannot be changed.
- Configurable — all other roles. Changes take effect immediately for all members with that role in the given org/workspace.
Sidebar visibility
System Permissions also drive which navigation items are visible to a user. If a role does not have MANAGE_APPLICATION_SETUP, the Application Setup section is hidden from the sidebar. If a role does not have MANAGE_SYSTEM_PERMISSIONS, the Permissions settings page is not shown.
See also
- Roles & Permissions — role definitions, cascading, data scoping
- Developer guide: Permission matrices — entities, services, @PreAuthorize patterns, frontend hooks