ZaffreZaffre Axon
Everyone sees exactly enough

Roles, permissions & security

Granular role-based access with self/team/company view scopes, ready-made default roles, full audit logs and deployment options up to self-hosting.

Access in Zaffre Axon is granular by module and action: viewing employees, creating pay runs, approving purchases and posting journal entries are separate rights, assembled into roles. Ten sensible default roles ship ready — from company admin to employee — and companies refine from there.

View scopes answer the question static permissions cannot: WHO can this person see? Self, their reporting line, or the whole company — per module. A team lead sees their team’s attendance; HR sees everyone’s; an employee sees their own. The same scoping applies to APIs and the AI assistant, not just screens.

Underneath, the platform keeps an audit spine: system logs record actions with actor, time and location context; approvals keep decision trails; sensitive documents live on access-controlled storage. Companies with data-residency requirements can run self-hosted, keeping everything on their own infrastructure.

How it works

  1. 1

    Start from defaults

    Ten default roles cover the usual jobs; adjust or clone as needed.

  2. 2

    Set view scopes

    Per module: self, subordinates or all — enforced everywhere including AI.

  3. 3

    Assign and forget

    Employees inherit their role’s rights; changes apply immediately.

  4. 4

    Audit anytime

    System logs and approval trails answer who-did-what with timestamps.

Frequently asked questions

Can a manager see only their own team?
Yes — view scopes (self / subordinates / all) apply per module, so a manager’s lists, reports and approvals cover exactly their reporting line.
Are there ready-made roles to start with?
Ten default roles ship with every company — admin, HR, finance, manager, employee and more — and can be customised or extended.
Is there an audit log?
Yes — system-wide logs capture actions with actor, timestamp and location context, alongside per-request approval histories.
Can we host it ourselves?
Yes — a self-hosted deployment option keeps all data on infrastructure you control, for companies with strict residency or security requirements.

See roles, permissions & security in action

Book a demo