Custom Roles & Asset Permissions
Beyond the 5 base roles, SOPHIOS allows organizations to define custom roles with specific permission flags and assign asset-level permissions for fine-grained access control.
Base Roles
SOPHIOS comes with 5 built-in roles:
| Role | Primary Use |
|---|---|
| Owner | Full access to all features, settings, and data |
| Admin | Administrative access with some financial limitations |
| Accountant | Financial management — invoices, budgets, payroll |
| Manager | Operational management — crew, equipment, maintenance |
| Viewer | Read-only access to reports and data |
For a detailed permissions matrix, see the Roles Overview.
Custom Roles
Organizations can create their own roles with a specific combination of permission flags. Custom roles are useful when the base roles do not match a user’s responsibilities.
Creating a Custom Role
Navigate to Administration
Go to Administration > Roles in the sidebar.
Click “New Role”
Open the role creation form.
Name and Configure
Give the role a descriptive name (e.g., “Fleet Coordinator,” “Financial Auditor”) and toggle the permission flags you want to grant.
Save
The role is immediately available for assignment to users.
Available Permission Flags
Custom roles are configured using the following permission flags:
General Permissions:
| Flag | Description |
|---|---|
| canRead | View data across the platform |
| canWrite | Create and edit records |
| canDelete | Delete records |
Invoice-Specific Permissions:
| Flag | Description |
|---|---|
| canViewInvoices | View invoice data and documents |
| canVerifyInvoices | Mark invoices as verified after OCR or manual review |
| canApproveInvoices | Approve invoices for payment |
| canExecuteInvoices | Mark invoices as executed (paid) |
| canDeleteInvoices | Permanently delete invoice records |
Custom roles override the base system role when assigned to a user. If a user has both a base role (e.g., Manager) and a custom role, the custom role permissions take precedence.
Example Custom Roles
Fleet Coordinator
- canRead, canWrite
- canViewInvoices, canVerifyInvoices
- Cannot approve or execute invoices
Financial Auditor
- canRead
- canViewInvoices
- Cannot modify or approve anything — strictly read-only with invoice visibility
Asset-Level Permissions
In addition to organization-wide roles, SOPHIOS supports per-asset granular permissions through the UserAssetPermission system. This allows you to control exactly what each user can do on each specific asset.
Permission Types
| Permission | What It Controls |
|---|---|
| canView | View asset data, invoices, crew, and reports for this asset |
| canEdit | Modify asset information, add invoices, update records |
| canApprove | Approve invoices and workflows for this asset |
| canDelete | Delete records belonging to this asset |
| canExport | Export data and reports for this asset |
How Asset Permissions Work
Asset-level permissions override the user’s organizational role for that specific asset.
Example: A user with the Manager role can normally edit all assets they have access to. But if they have asset-level permissions set to canView: true, canEdit: false for “Yacht Aurora,” they can only view — not edit — that specific yacht’s data, while retaining full Manager capabilities on other assets.
Assigning Asset Permissions
Go to Administration > Users
Open the user management page.
Select a User
Click on the user you want to configure.
Click “Asset Permissions”
Open the asset-level permissions panel.
Configure Per Asset
For each asset, toggle the specific permissions (canView, canEdit, canApprove, canDelete, canExport).
Save
Changes take effect immediately.
Use Cases
A family office manages a yacht, a jet, and three properties. Each has a different accountant:
- Accountant A — canView + canApprove for Yacht and Jet
- Accountant B — canView + canApprove for Properties only
- Family principal — Owner role with access to all assets
Assigning Custom Roles to Users
Navigate to Administration > Users
Open the user list.
Select the User
Click on the user you want to modify.
Click “Assign Role”
Choose between a base role or a custom role from the dropdown.
Confirm
The new role takes effect immediately.
Use the principle of least privilege — give users only the permissions they need for their specific assets. Start with minimal access and expand as needed. Review permissions regularly.
Related Pages:
- Roles Overview — Base roles and permissions matrix
- Private AI Infrastructure — Security and access control details