Roles & access

Access in Zeno CY is workspace-scoped and enforced both in the UI and on the backend. Every screen knows which role is sitting in front of it and refuses actions outside that role's scope.

The current role set

Owner

Full control of the workspace:

• workspace settings,
• billing controls,
• team invites and role changes,
• full audit visibility.

Admin

Operational management role:

• runs the core workflows (documents, registry, transactions),
• has access to the audit log,
• cannot perform ownership-level governance actions (those stay with Owner).

Accountant

Finance operations role:

• documents and registry workflows,
• exports and review tasks,
• does not have full audit-log access.

Auditor

Read-focused compliance role:

• audit log access,
• read-only usage for compliance review.

Bank

External read scope for controlled sharing — for example, when a banking counterpart needs to see specific statement lines without anything else. Access is intentionally limited.

Audit visibility policy

The audit page is accessible to:

• owner
• admin
• auditor

Other roles see restricted access messaging. This is deliberate — the audit log only stays defensible if access to it is deliberate.

Invite policy

Only the Owner can send team invites from Settings. The whole flow is described in Onboarding & invites.

Access-denied troubleshooting

If you see a permission error:

1. Check your assigned role in Settings.
2. Ask the Owner to confirm whether your role should include the action.
3. Re-login after any role change — the new scope only takes effect on the next session.
4. Retry the same action.

If the error persists, include the request_id and the page path when contacting me. Saves a back-and-forth.

Related

• Workspace settings
• Audit trail
• Errors & Troubleshooting