Skip to main content

Roles & Access

How roles work

Zeno uses roles to control who can do what in your account. The person who creates the account becomes the Owner and can invite others with different roles.

Available roles

Owner

Full control of the account

Can do everything:

  • Invite and remove team members
  • Assign and change roles
  • Connect and disconnect storage
  • View all documents and audit logs
  • Export everything
  • Manage billing and subscriptions

Important: There's always exactly one Owner. Ownership can be transferred but never shared.

Admin (Delegated Admin)

Manages day-to-day operations

Can do most things:

  • Invite team members (but can't remove Owner)
  • Manage document workflows
  • Connect storage (with Owner approval)
  • View and export documents
  • Access audit logs (limited scope)

Cannot:

  • Change Owner
  • Delete the account
  • View all audit events (only relevant ones)

Accountant

Reviews and exports financial data

Can:

  • View all documents
  • Review and confirm documents
  • Export registry
  • View reconciliation data

Cannot:

  • Upload documents
  • Invite team members
  • Change settings
  • Access full audit logs

Employee

Works with documents

Can:

  • Upload documents
  • Review own uploads
  • View documents they have access to
  • Confirm documents (if allowed)

Cannot:

  • Invite others
  • Change settings
  • Export data
  • View audit logs

Bank Viewer

Limited read-only access

Can:

  • View specific documents (when granted)
  • See registry for specific periods

Cannot:

  • Upload or modify anything
  • Export data
  • See other team members
  • Access settings

Auditor

Read-only access for compliance

Can:

  • View documents and registry
  • Access audit logs
  • Export for audit purposes

Cannot:

  • Modify anything
  • Upload documents
  • Change settings

What each role can see

Documents

  • Owner, Admin, Accountant: All documents
  • Employee: Documents they uploaded or were shared with them
  • Bank Viewer: Only documents explicitly granted
  • Auditor: All documents (read-only)

Audit logs

  • Owner: Everything
  • Admin: Most events (not ownership changes)
  • Accountant: Document and financial events
  • Employee, Bank Viewer: Nothing
  • Auditor: Everything (read-only)

Settings

  • Owner: Everything
  • Admin: Most settings (not billing or ownership)
  • Others: Nothing

Common scenarios

"Access denied"

What it means: Your role doesn't allow this action.

Common reasons:

  • You're trying to invite someone (need Admin or Owner)
  • You're trying to export (need Accountant, Admin, or Owner)
  • You're trying to change settings (need Admin or Owner)

What to do: Ask the Owner or Admin to either:

  • Do the action for you
  • Change your role if you need this regularly

What it means: Storage access needs permission.

Who can fix it:

  • Owner or Admin can reconnect storage
  • You need to grant consent when asked

What to do:

  1. Ask Owner/Admin to reconnect storage
  2. Grant consent when the popup appears
  3. Try your action again

"Can't see audit logs"

What it means: Your role doesn't include audit access.

Who can see audit logs:

  • Owner: Everything
  • Admin: Most events
  • Accountant: Financial events
  • Auditor: Everything (read-only)

What to do: Ask the Owner if you need audit access for your work.

Inviting team members

Who can invite:

  • Owner (can invite anyone)
  • Admin (can invite everyone except other Admins)

How it works:

  1. Owner/Admin sends invite to email address
  2. Person receives email with link
  3. They click link and create account (or sign in)
  4. They're added to your account with assigned role

Important:

  • Invite expires after 7 days
  • Person must use the invited email address
  • They need to verify their email

Learn more about invites →

Changing roles

Who can change roles:

  • Only Owner can change anyone's role
  • Admin can change Employee roles

How it works:

  1. Owner goes to team settings
  2. Selects person
  3. Changes role
  4. Person's access updates immediately

Important:

  • Can't change Owner role (must transfer ownership)
  • Can't remove last Admin if Owner is inactive

Removing team members

Who can remove:

  • Owner can remove anyone
  • Admin can remove Employees

What happens:

  • Person loses access immediately
  • Their documents stay in the account
  • Their confirmations remain valid
  • Audit log shows who removed them

What Zeno does NOT do

No automatic role changes: Zeno never changes your role without explicit action from Owner/Admin.

No hidden permissions: Every role's permissions are clearly defined. No surprises.

No backdoors: Even Zeno support can't access your account without your permission.

What's next