User Roles & Permissions Overview

SOPHIOS uses a role-based access control (RBAC) system to ensure users have appropriate access to features and data.

Available Roles

SOPHIOS offers five base user roles, each with specific permissions and capabilities, plus Custom Roles that organizations can define:

👑Owner

Full access to all features, settings, and data

⚙️Admin

Administrative access with some financial limitations

💼Accountant

Financial management and invoice processing focus

🔧Manager

Operational management (crew, equipment, maintenance)

👁️Viewer

Read-only access to reports and data

Permissions Matrix

Quick reference for role capabilities:

Feature	Owner	Admin	Accountant	Manager	Viewer
Assets
Create/Edit Assets	✅	✅	❌	❌	❌
View Assets	✅	✅	✅	✅	✅
Delete Assets	✅	✅	❌	❌	❌
Financial
Upload Invoices	✅	✅	✅	✅	❌
Edit Invoices	✅	✅	✅	⚠️	❌
Approve Invoices	✅	✅	✅	❌	❌
Delete Invoices	✅	✅	⚠️	❌	❌
Create Budgets	✅	✅	✅	❌	❌
Edit Budgets	✅	✅	✅	❌	❌
Crew & HR
Add Employees	✅	✅	❌	✅	❌
Edit Employees	✅	✅	❌	✅	❌
Delete Employees	✅	✅	❌	⚠️	❌
Create Payroll	✅	✅	✅	❌	❌
Approve Payroll	✅	✅	❌	❌	❌
Operations
Add Equipment	✅	✅	❌	✅	❌
Schedule Maintenance	✅	✅	❌	✅	❌
Approve Maintenance	✅	✅	⚠️	⚠️	❌
Reports
View Reports	✅	✅	✅	✅	✅
Export Data	✅	✅	✅	✅	❌
Administration
Manage Users	✅	✅	❌	❌	❌
Assign Permissions	✅	✅	❌	❌	❌
System Settings	✅	⚠️	❌	❌	❌

Legend:

✅ Full access - Complete permissions for this feature
⚠️ Limited - Partial access with restrictions
❌ No access - Cannot use this feature

Role Descriptions

👑 Owner

Primary Use Case: Asset owner, family office principal

Key Capabilities:

Complete control over organization
Manage all users and permissions
Access to all features and data
Financial approval authority
System-level settings

Typical Users:

Asset owner
Family office principal
Managing director

Learn more about Owner role →

⚙️ Admin

Primary Use Case: Operations director, chief of staff

Key Capabilities:

Administrative access to most features
User and permission management
Asset and operational management
Limited financial approval (depending on policy)
System configuration

Typical Users:

Operations director
Chief of staff
Senior management

Key Difference from Owner:

Cannot delete organization
Limited access to financial approvals (configurable)
Cannot change Owner role assignments

Learn more about Admin role →

💼 Accountant

Primary Use Case: Financial manager, accountant, CFO

Key Capabilities:

Full financial management
Invoice processing and approval
Budget creation and tracking
Payroll processing and approval
Financial reporting

Restrictions:

No asset creation/deletion
No crew management (non-financial)
No equipment/maintenance management

Typical Users:

Chief Financial Officer (CFO)
Accountant
Financial manager
Bookkeeper

Learn more about Accountant role →

🔧 Manager

Primary Use Case: Operations manager, captain, facility manager

Key Capabilities:

Crew management (hiring, termination, status)
Equipment catalog management
Maintenance scheduling
Trip planning
Operational reporting

Restrictions:

No financial approvals
No budget management
No user administration

Typical Users:

Yacht captain
Property manager
Fleet manager
Operations manager

Learn more about Manager role →

👁️ Viewer

Primary Use Case: Consultant, advisor, auditor, family member

Key Capabilities:

View all data and reports
Access analytics dashboards
Read invoices, budgets, crew info
View equipment and maintenance

Restrictions:

Cannot create, edit, or delete anything
Cannot export data
Cannot approve workflows
Read-only access only

Typical Users:

Family members (visibility only)
External consultants
Auditors
Advisors

Learn more about Viewer role →

Asset-Level Permissions

In addition to role-based permissions, SOPHIOS offers asset-level access control.

How It Works

Each user can be granted access to specific assets with granular permissions:

Permission Types:

canView - View asset data
canEdit - Modify asset information
canLoadInvoices - Upload invoices for this asset
canVerifyInvoices - Verify invoice data
canApproveInvoices - Approve invoices for payment
canExecuteInvoices - Mark invoices as executed
canDeleteInvoices - Delete invoices
canExport - Export data

Use Cases

Example 1: Multi-Asset Portfolio

Accountant has access to “Yacht A” and “Jet B”
But no access to “Property C” (different accountant)

Example 2: Regional Teams

Mediterranean crew manager accesses “Yacht A”
Caribbean crew manager accesses “Yacht B”
Fleet manager accesses all assets

Example 3: Family Sharing

Father (Owner) - Full access to all assets
Son (Manager) - Access to “Jet A” only
Daughter (Viewer) - View-only access to all assets

Assigning Roles

For New Users

When inviting users:

Navigate to Users menu
Click “Invite User”
Enter email address
Select role from dropdown
Choose asset access
Set permissions (canView, canEdit, etc.)
Click “Send Invitation”

Changing Existing User Roles

Go to Users list
Click user to edit
Click “Change Role”
Select new role
Confirm change

⚠️

Important: Role changes take effect immediately. Changing a user’s role may grant or revoke significant permissions.

Permission Inheritance

Organization-Level

Owner - Inherits all permissions automatically
Admin - Inherits most permissions with some exclusions
Other Roles - Inherit specific permission sets

Asset-Level

Asset permissions override organization permissions:

User might be Admin (org level)
But only Viewer for specific asset (asset level)
Asset-level permission takes precedence

Best Practices

✨

Security Recommendations

Principle of Least Privilege

Grant only the permissions users need:

Start with lower permissions
Upgrade as needed
Regularly review user access

Regular Audits

Review permissions quarterly:

Remove inactive users
Downgrade unnecessary access
Verify role assignments

Separation of Duties

Distribute sensitive permissions:

Financial Approval - Separate from data entry
User Management - Limit to trusted admins
Asset Deletion - Require Owner approval

Asset Access

Be strategic with asset assignments:

Grant access only to relevant assets
Use asset permissions for contractors
Review asset access when team changes

Special Scenarios

Multiple Owners

Organizations can have multiple Owner-role users:

All Owners have equal permissions
Any Owner can manage other Owners
Use sparingly for security

⚠️

Caution: Multiple Owners increase security risk. Limit to 2-3 trusted individuals.

External Accountants

For third-party accountants:

Assign Accountant role
Grant access to specific assets only
Use canExport carefully (data security)
Set expiration dates if possible

Temporary Access

For contractors or consultants:

Assign Viewer or Manager role
Limit to specific assets
Remove access when contract ends
Export data before removal if needed

Permission Conflicts

When Roles Conflict

If a user has multiple role-like permissions:

More permissive wins - User gets higher access
Asset level overrides org level - Asset permissions take precedence

Example:

User is Admin (org level) - can edit all assets
User has Viewer permission for “Yacht A” (asset level)
Result: Can edit all assets EXCEPT “Yacht A” (view only)

Audit Trail

All permission changes are logged:

Who made the change
What was changed
When it happened
Previous and new values

Access audit logs:

Go to Users
Select user
Click “Audit Log” tab

Common Questions

Can I create custom roles?

Yes. Organizations can define custom roles with specific permission sets tailored to their needs. Go to organization settings to create and manage custom roles. See Custom Roles for details.

Can one user have multiple roles?

No. Each user has exactly one role. However, asset-level permissions provide flexibility.

How do I prevent unauthorized access?

Use appropriate roles
Limit Owner/Admin roles
Regular permission audits
Enable two-factor authentication (coming soon)

What happens if I delete a user?

User loses all access immediately
Data created by user remains
Audit trail preserved
User can be re-invited later

📚

Learn more about specific roles:

Private Infrastructure Custom Roles & Permissions