Passfort user permissions

Permissions provide the user or team members with different levels of access to areas of the Passfort product. They are assigned to users through their individual or team roles.

The access types are:

No access: The user or team members cannot see the area of the product at all.
Read-only: Limited access to the area of the product.
Read and write: Full access to the area of the product.

What users and team members can do with read-only and read and write access is different for each permission.

Product applications

Access for the Product application permission is assigned per product:

Permission	Access types
One permission is displayed for each product	No access: Profiles with product applications for this product only are not displayed. If No access is assigned for all products, the Profiles tab is not displayed. Read-only: See all profiles with product applications for this product. Add files and comments to profile conversations. See tasks and check results. Add files and notes to task notes. Assign product applications to users and teams. Read and write Add new product applications for the specified product. Approve, reject, or cancel product applications. Create and apply decision reasons. Pass/fail/incomplete tasks. Run checks. Edit applicant profiles. Plus, all permissions that are assigned to users with Read-only access. Caution Users with Read-only or Read and write access to any of the profile's product applications can see all of the profile's product applications and associated tasks and the full history of all product applications in the audit report. However, they can't act on product applications they don't have permission for, such as approving/rejecting the product application, passing/failing tasks, or running checks.

Permission

Access types

One permission is displayed for each product

No access: Profiles with product applications for this product only are not displayed.
If No access is assigned for all products, the Profiles tab is not displayed.
Read-only:
- See all profiles with product applications for this product.
- Add files and comments to profile conversations.
- See tasks and check results.
- Add files and notes to task notes.
- Assign product applications to users and teams.
Read and write
- Add new product applications for the specified product.
- Approve, reject, or cancel product applications.
- Create and apply decision reasons.
- Pass/fail/incomplete tasks.
- Run checks.
- Edit applicant profiles.
- Plus, all permissions that are assigned to users with Read-only access.
Caution
Users with Read-only or Read and write access to any of the profile's product applications can see all of the profile's product applications and associated tasks and the full history of all product applications in the audit report. However, they can't act on product applications they don't have permission for, such as approving/rejecting the product application, passing/failing tasks, or running checks.

Reports

Permission	Access types
All reports	No access: The Reports tab is not displayed. Read-only: See reports for product applications, tasks, and checks.
Export data	No access: The button to export report data from the Applications overview section is disabled. Read-only: Export report data from applications and check reports. Note that to do this, you also need Read-only access for the All reports permission because this is what enables you to see the reports.

Smart policies

Permission	Access types
Policy builder	No access: The Policy Builder tab is not displayed. Read-only: See your smart policy configuration details, such as data provider setup and task configuration. Read and write: Edit your configuration details, review and publish changes to your smart policy.
Policy export	No access: The Export option is not displayed on your policy version history page. Read-only: Export the smart policy configuration for your institution.
Policy import	No access: The Import policy option is not displayed on your policy version history page. Read and write: Import a smart policy configuration that has been exported from another institution into your institution.

User management

Permission	Access types
Manage users	No access: The Manage users section is not displayed on the User Management tab. Read-only: See all users on your account, along with their personal details and user roles. Read and write: Add users. Deactivate or reactivate users. Edit user details. Assign roles to users and teams. Reset user passwords. Plus, all permissions that are assigned to users with Read-only access.
Manage roles	No access: The Manage roles section is not displayed on the User Management tab. If No access is assigned for Manage users and Manage roles, the User Management tab is not displayed. Read-only: See all roles for your account. Read and write: Create/edit/delete user roles. Plus, all permissions that are assigned to users with Read-only access.

Developer tools

Permission	Access types
Master API key	No access: The API key section is not displayed on the Manage account menu. Read-only: Get the key(s) used to make calls to the Passfort API. Read and write: Issue/revoke API keys.
Webhook config	No access: The Webhook config section is not displayed on the Manage account menu. Read and write: Configure/edit webhooks.
IP allow list	No access: The IP allow listing section is not displayed on the User Management tab. Read-only: See all IP addresses on the allow list. Read and write: Enable/disable IP allow listing. Add/remove IP addresses and ranges. Edit descriptions for IP addresses and ranges.

Data protection

Permission	Access types
Permanently delete profiles	No access: The Delete this profile option is not displayed on profiles. Read and write: Permanently delete profiles using the Delete this profile option. Caution Deleting profiles is a permanent action, and the profile cannot be recovered. We recommend only enabling this option for users who need to delete profiles to meet GDPR requirements. For profiles that may be needed at a later date, we recommend rejecting or canceling the product application, which removes it from the Profiles tab. To permanently delete a profile, the user must also have Read-only or Read and write access for the profile's product for the Product applications permission.
Permanently delete files	No access: The Delete file option is not displayed for profile files. Read and write: Permanently delete profile files using the Delete file option. These files will be inaccessible and will not be recoverable via the portal or the API. We recommend only enabling this option for users who need to delete files to meet GDPR requirements.

Permission

Access types

Permanently delete profiles

No access: The Delete this profile option is not displayed on profiles.
Read and write: Permanently delete profiles using the Delete this profile option.
Caution
Deleting profiles is a permanent action, and the profile cannot be recovered. We recommend only enabling this option for users who need to delete profiles to meet GDPR requirements. For profiles that may be needed at a later date, we recommend rejecting or canceling the product application, which removes it from the Profiles tab.

To permanently delete a profile, the user must also have Read-only or Read and write access for the profile's product for the Product applications permission.

Permanently delete files

No access: The Delete file option is not displayed for profile files.
Read and write: Permanently delete profile files using the Delete file option. These files will be inaccessible and will not be recoverable via the portal or the API. We recommend only enabling this option for users who need to delete files to meet GDPR requirements.

Additional information

Create, edit, and delete roles

In this section: