ARVEXI

Help Center · Settings & Administration

Managing users and roles

Control who can access what in Arvexi with role-based permissions, entity-level scoping, and separation of duties rules. For enterprise deployments, SCIM provisioning automates user lifecycle management.

Inviting users

Navigate to Settings → Users and click Invite User. Enter the person’s email address, select a role, and optionally restrict their access to specific entities.

Arvexi sends an invitation email with a secure link. Invitations expire after 7 days. If the link expires before the user accepts, an admin can resend the invitation from the Users page. Expired invitations cannot be used. Each resend generates a new token.

The invitation flow:

  1. Admin enters email and selects role and entity access.
  2. Arvexi sends an invitation email with a one-time link.
  3. The invitee clicks the link, sets their password, and configures two-factor authentication (required for all accounts).
  4. The account becomes active. The admin can see the user’s status change from “Invited” to “Active” on the Users page.

Roles

Arvexi has three built-in roles, each with progressively broader permissions:

  • User: Can view and work on reconciliations, close tasks, and leases assigned to them or within their entity scope. Cannot change settings, manage other users, or approve their own work.
  • Manager: Everything a User can do, plus the ability to approve reconciliations, certify close periods, activate leases, and run reports across their entity scope. Cannot manage organization-level settings.
  • Admin: Full access to all features, settings, and entities. Can manage users, configure integrations, define entity hierarchies, and modify the chart of accounts. At least one Admin is required per organization.

Roles are assigned at invitation time and can be changed later by any Admin. Role changes take effect immediately. The user does not need to log out and back in.

Entity-level access

Beyond roles, you can restrict a user’s access to specific entities in your hierarchy. Entity access uses two permission levels:

  • READ: The user can view data for the entity (reconciliations, balances, reports) but cannot create, edit, or approve anything.
  • WRITE: The user can view, create, edit, and work on records for the entity. WRITE includes READ automatically.

Entity access is additive. If you grant a user WRITE access to “US Operations” and READ access to “EMEA Holdings,” they can work on US records and view EMEA records. They cannot see data for any entity not explicitly granted.

When a user has access to a parent entity, they automatically inherit access to all child entities below it. To grant access to an entire region, assign the parent entity rather than each child individually.

Separation of duties

Arvexi enforces separation of duties (SOD) rules to ensure no single person can both prepare and approve critical accounting work:

  • Reconciliation preparer/approver: The user who completes a reconciliation cannot also approve it. A different user with Manager or Admin role must review and approve.
  • Journal entry poster/reviewer: The user who generates or edits a journal entry cannot post it to the ledger. A second user must review and post.
  • Close task completion/certification: Task assignees cannot certify the close period. Certification requires a Manager or Admin who is not the task assignee.

SOD rules are enforced at the system level. The approve, post, and certify buttons are disabled for the same user who performed the preparatory work. Admins cannot override SOD enforcement.

SCIM provisioning

Enterprise customers can automate user lifecycle management using SCIM 2.0. When connected to your identity provider (Okta, Azure AD, OneLogin, or any SCIM-compliant IdP), Arvexi automatically:

  • Creates users when they are assigned the Arvexi application in your IdP.
  • Updates user attributes (name, email, department) when they change in your directory.
  • Deactivates users when they are unassigned from the application or disabled in your IdP. Deactivated users cannot log in but their historical work is preserved.
  • Maps groups to roles: Assign IdP groups to Arvexi roles so role assignment is managed centrally in your directory.

To enable SCIM, go to Settings → Security → SCIM and generate a bearer token. Enter the SCIM endpoint URL and token in your IdP’s application configuration. Arvexi’s SCIM endpoint supports user and group resources with full CRUD operations.

Entity-level access is not managed through SCIM. An Arvexi Admin must configure entity assignments after the user is provisioned. This separation ensures accounting teams retain control over data access boundaries.

Enterprise-grade access control, built in

Book a demo to see role-based permissions, SOD enforcement, and SCIM provisioning in action.

Book a demo