Roles, permissions & security
Granular role-based access with self/team/company view scopes, ready-made default roles, full audit logs and deployment options up to self-hosting.
Access in Zaffre Axon is granular by module and action: viewing employees, creating pay runs, approving purchases and posting journal entries are separate rights, assembled into roles. Ten sensible default roles ship ready — from company admin to employee — and companies refine from there.
View scopes answer the question static permissions cannot: WHO can this person see? Self, their reporting line, or the whole company — per module. A team lead sees their team’s attendance; HR sees everyone’s; an employee sees their own. The same scoping applies to APIs and the AI assistant, not just screens.
Underneath, the platform keeps an audit spine: system logs record actions with actor, time and location context; approvals keep decision trails; sensitive documents live on access-controlled storage. Companies with data-residency requirements can run self-hosted, keeping everything on their own infrastructure.
How it works
- 1
Start from defaults
Ten default roles cover the usual jobs; adjust or clone as needed.
- 2
Set view scopes
Per module: self, subordinates or all — enforced everywhere including AI.
- 3
Assign and forget
Employees inherit their role’s rights; changes apply immediately.
- 4
Audit anytime
System logs and approval trails answer who-did-what with timestamps.
Frequently asked questions
- Can a manager see only their own team?
- Yes — view scopes (self / subordinates / all) apply per module, so a manager’s lists, reports and approvals cover exactly their reporting line.
- Are there ready-made roles to start with?
- Ten default roles ship with every company — admin, HR, finance, manager, employee and more — and can be customised or extended.
- Is there an audit log?
- Yes — system-wide logs capture actions with actor, timestamp and location context, alongside per-request approval histories.
- Can we host it ourselves?
- Yes — a self-hosted deployment option keeps all data on infrastructure you control, for companies with strict residency or security requirements.