Help Center

Beam Machine Roles and Access

Role model, module visibility, and entity access rules for Beam Machine users.

publicusers

Choosing the Right Beam Machine Role and Access

This page shows you which kind of user should see which modules and how role access differs from entity access.

Product: Beam Machine
Module: Access Control
Role: Firm Admin, Team Lead, New User
Difficulty: Beginner
Time: 5 minutes
Last Updated: 2026-03-10
Version: Current Beam Machine app build in this repo

Before You Start

You should know the person’s real job, not just their job title.
You should know which entity or entities they must work in.
You should have 03-navigation-and-layout.md available if you need to confirm where modules appear.

What is role and access control?

Role access answers one question: "Which parts of the system can this person open?"

Entity access answers a different question: "Which company or business unit can this person work inside?"

In Beam Machine, you need both to be right. A perfect role with the wrong entity access still creates bad work.

When do you use this?

Use this page when:

onboarding a new user,
changing responsibilities,
troubleshooting "I can't see the module" complaints,
or checking whether someone is in the wrong workspace for their job.

If you do not check access properly, users either get blocked or get access they should never have had.

Where do you check this in the system?

Primary path: Settings -> Roles for the read-only matrix and Settings -> Users for user records.
Alternative: Check the live left sidebar after login to confirm what the user can actually see.

How the current role model works

The current role model

The repo currently exposes four main roles in the static RBAC model:

Role	What it means in plain language
Administrator	Full operational access across nearly all modules, plus settings
Accountant	Broad finance, reporting, audit, statutory, ESG, and transfer pricing access, but not every system function
Operator	Operations-only access focused on fleet, rental, and inventory
Client	Limited access. This role is mainly relevant to the customer portal, not the full staff dashboard

Module access by role

Module family	Admin	Accountant	Operator	Client
Accounting	Yes	Yes	No	No
Banking	Yes	Yes	No	No
Tax	Yes	Yes	No	No
Fixed Assets	Yes	Yes	No	No
Fleet	Yes	No	Yes	No
Rental	Yes	No	Yes	No
Inventory	Yes	No	Yes	No
Payroll	Yes	Yes	No	No
Practice	Yes	Yes	No	No
Statutory	Yes	Yes	No	No
Audit	Yes	Yes	No	No
Reporting	Yes	Yes	No	No
Multi-Entity	Yes	Yes	No	No
Settings	Yes	No	No	No
ESG	Yes	Yes	No	No
Transfer Pricing	Yes	Yes	No	No

Entity access is separate from role access

Role decides which module families the user can open.
Entity access decides which company or business unit the user is acting inside.

If a user says, "I can log in but I cannot see the right company," the problem may be entity access, not role permissions.

Review access safely

Confirm which business process the person performs.
Confirm which entity or entities they should access.
Confirm whether they should work in the staff app or only in the client portal.
Confirm whether they need approval visibility, documents, or settings access.
Review the role matrix.
Review the user record.
Confirm the left sidebar matches the expected modules after login.

Common Questions & Issues

"The user cannot see a module"

Why this happens: The user may have the wrong role, the wrong workspace, or the wrong expectation about what is actually live.

Fix: Check:

their role,
whether that role includes the module,
whether they are in the staff app or the client portal,
whether the feature itself is only partial or planned.

"The user can see the module but not the right records"

Why this happens: This is often an entity problem, not a role problem.