Permissions
  • 21 Oct 2020
  • 21 Minutes To Read
  • Print
  • Share
  • Dark
    Light

Permissions

  • Print
  • Share
  • Dark
    Light

Overview

In Mambu, a permission allows a user or a group profile to view a type of information or perform an action. Permissions are organized into sets, such as Administration, Credit Arrangements, or Deposit Accounts.

Assign permissions to users and roles

By managing permissions, each user will only have access to the information that is relevant for their required activities in Mambu.

For example, a Credit Officer might be able to create a new loan account (application) for a client, but only the Branch Manager would have the permissions to approve or reject the loan application. Other users might only be allowed to view reports, but not post any data in the system. In such cases, options like managing clients, accounts and administration tasks won't be visible, or the access to these actions will be denied to those users who do not have permission to perform them.

Please Note
If users have Audit Trail enabled, Mambu will track all the activities performed by all types of users, regardless of what set of permissions they have.

To assign permissions to users or roles:

  • When Creating a user or Creating a role, under Permissions, select the check boxes next to the permissions you want to assign, or select the checkbox next to the category of permissions you want to assign and all the permissions in that category will be automatically assigned to the user or role.

Granular Administration Permissions

Currently, in order to have access to the Mambu Administration section, you must create a user with an "Administrator" user type. This user type has complete control over the Mambu app and can do all possible actions. However, you may need to create multiple types of administrators, that have their access limited to some areas of the Mambu Administration section.

For example, you might want to create Roles similar to these, for more granularity:

  • a Financial Administrator, in charge with setting the rates, currencies, and so on.
  • an Access Administrator, who manages users, roles, access preferences, and who can set up Federated Authentication.
  • a Technical Setup Administrator, who manages the setup of Event Streaming APIs, Data Imports and Exports, and so on.

In order to enable you to create separate Roles for the needs of your organization, we have decided to add more granularity to our Administration permissions. With granular permissions, you can apply the need-to-know principle for your users and only give permissions as needed.

In addition, we are introducing a new standard for how the permissions that sit under the Administration category are applied.

Standard Behavior for Granular Administrator Permissions

The standard behaviour for granular permissions on the Administration section applicable both on the UI and on the API endpoints is the following:

  • Create, Read, Update, Delete (CRUD) permissions on more complex entities.
  • Manage permission on simpler entities.

To better understand how the CRUD permissions and the Manage permission standard is applied, let's pick the Branches entity and go through each permission.

Create Entity Details

Now has implicit View permission mapped. This means that with the Create permission, you also have all the capabilities a user with only View permission has. Please note, this is an implicit View permission, which means it is not signaled in the Permission Tree of the given entity.
This permission also gives you the capability to create a new entity of the given kind, both via the UI and API, provided that you also have API access.

Read Entity Details

This permission is applicable on API 2.0 endpoints per entityList and entityDetails provided that you also have API access:
GET/branches
GET/branches/{branchID}

This permission is applicable on Mambu UI as follows:
You can see the entityList by navigating to Administration > Organization > Branches. You can't do any edits or create a new entity if you only have View permissions.
You can click on entityName and/or entityID as applicable, in order to see the entityDetails (for example, clicking on BranchName or BranchID will show you the Branch details).

Update Entity Details

Has implicit View permission mapped. This means that with the Edit permission, you also have all the capabilities a user with only View permission has. Please note, this is an implicit View permission, which means it is not signaled in the permission tree of the given entity.
This permission also gives you the capability to Edit an entity of the given kind, both via the UI and API, provided you also have API access.
Edit entity permissions contains access to actions like:

  • Activate/Deactivate Entity
  • Unlock Entity (applicable for Users)

Delete Entity Details

Has implicit View permission mapped. This means that with the Delete permission, you also have all the capabilities a user with only View permission has. Please note, this is an implicit View permission, which means it is not signaled in the permission tree of the given entity.
The delete user action is available both for Administrator and other users that will be granted the “Delete Users” permission.

Manage Entity

The Manage entity permission will be added to smaller entities that do not need a CRUD mapping or to cover current lack on granularity with a minimum impact to backwards compatibility.
This permission gives you access to manage the entity or feature fully, while enhancing granularity by not needing to have an Administrator user type.

Permissions’ description

Below you can find a description of the permissions available in Mambu by category or set. These permissions function identically for Mambu user accounts and Mambu roles.

General

The General category contains the following permissions:
  • Audit Transactions: allows you to filter and find transactions. See Audit Trail.
  • View Comments: enables the Comments tab for clients, users, branches, and products.
  • Create Comments: allows you to create new comments.
  • Edit Comments: allows you to edit existing comments.
  • Delete Comments: allows you to delete existing comments.
  • Export to Excel: allows you to export custom views data, and any report under Reporting or Accounting.
Administration

The Administration category contains the following permissions:
  • Branches:
    • View Branch Details: enables Organization tab under Administration. Allows access to Branch information when clicking the Branch name elsewhere in the system.
    • Create Branches: enables access to Administration > Organization > Branches > Create Branch. See Creating Branches.
    • Edit Branches: enables access to Administration > Organization > Branches > Edit Branches. Allows you also to activate, deactivate, and unlock branches. See Editing a Branch.
  • Centres:
    • View Centre Details: enables Organization tab under Administration. Allows access to Centre information when clicking the Centre name elsewhere in the system.
    • Create Centres: enables access to Administration > Organization > Centres > Create Centre. See Creating Centres.
    • Edit Centres: enables access to Administration > Organization > Centres > Edit Centres. Allows you to activate, deactivate, and unlock centres.
  • Products:
    • View Loan Product Details: enables Products tab on the main ribbon. Allows you to view all the loan products created in Mambu.
    • View Deposit Product Details: enables Products tab on the main ribbon. Allows you to view all the deposit products created in Mambu.
    • Create Product Documents: allows you to create document templates. See Creating a Document.
    • Edit Product Documents: allows you to edit document templates. See Using the Document Editor.
    • Delete Product Documents: allows you to delete document templates.
  • Transaction Channels:
    • View Transaction Channels: allows you to view the list of transaction channels.
    • Create Transaction Channels: allows you to create a new transaction channel.
    • Edit Transaction Channels: allows you to modify transaction channels.
    • Delete Transaction Channels: allows you to delete transaction channels.
  • Manage Holidays: allows you to view, edit, and add to the list of holidays from Administration > General > Holidays. See Holidays.
  • Manage Events Streaming: allows you to view and work with Events Streaming. See How to Use Event Streaming.
  • Manage EOD Processing: allows you to manage EOD Processing from Administration > General > EOD Processing.
  • Manage Apps: enables the Apps tab under Administration. Allows you to access and manage Mambu apps.
Access

The Access category contains the following permissions:
  • Users:
    • Create Users: allows you to create new users in the system.
    • Edit Users: allows you to edit existing users.
    • View User Details: allows you to view the user profile of Mambu users within this menu, including your own. Your profile is also accessible when clicking your name in the top right corner, and then clicking View Your Profile. Other users’ profile is also accessible from activities or transactions.
    • Delete Users: allows you to delete existing users.
  • Roles
    • Create Roles: allows you to create new roles in the system.
    • Edit Roles: allows you to edit existing roles.
    • View Roles: allows you to view the existing roles.
    • Delete Roles: allows you to delete existing roles.
  • Api Consumers and Keys
    • View Api Consumers and Keys: enables the API Consumers tab under Administration. See API Consumers.
    • Create Api Consumers and Keys: allows you to create API consumers and keys.
    • Edit Api Consumers and Keys: allows you to edit API consumers and keys.
    • Delete Api Consumers and Keys: allows you to delete API consumers or API keys. See API Consumers.
  • Manage Federated Authentication: enables you to manage users under Federated Authentication. See Managing Users under Federated Authentication.
  • Manage Access Preferences: allows you to manage access preferences, such as Minimum pasword length or whether you want to lock users after failed logins. See Access Preferences.
Please Note
Having any permission under the Access permissions category enables the Access tab under Administration and the subtab you have access to, accordingly.
Communication

The Communications category contains the following permissions:
  • Create Templates: enables the Templates tab under Administration. Allows you to view and create communication templates for Tasks, SMS, Emails and Streaming API Events. See Email and SMS Templates.
  • Edit Templates: allows you to view, edit, deactivate, and delete templates for Tasks, SMS, Emails and Streaming API Events.
  • Send Manual SMS: enables the SMS tab under Administration. Allows you to send ad-hoc, manual SMS messages to clients. See Sending Manual Emails and SMS Messages.
  • Send Manual Email: enables the Email tab under Administration. Allows you to send ad-hoc, manual email messages to clients. See Sending Manual Emails and SMS Messages.
  • View Communication History: allows you to view the history of all communications (via SMS, Email, Webhooks). See View Communication History.
  • Resend Failed Messages: allows you to resend the communication messages that didn’t go through. See Resend Failed Notification Messages.
Clients

The Clients category contains the following permissions:
  • View Client Details: allows you to access the list of clients and the individual clients’ overview screen.
  • Create Clients: allows you to create new clients. See Creating Individual Clients.
  • Edit Clients: allows you to make changes to the client fields, custom fields, and notifications settings. See Editing a Client.
  • Delete Clients: allows you to delete clients, provided they don’t have open accounts, transactions, or activities. See Deleting a Client.
  • Approve Clients: allows you to change the status of a client from pending approval to approved.
  • Reject Clients: allows you to reject unapproved clients.
  • Exit Clients: allows you to change the status of a client to Exited.
  • Blacklist Clients: allows you to change the status of a client to Blacklisted.
  • Undo Client State Changed: allows you to undo approval or blacklisting of clients.
  • Change Client Type: allows you to change the type of the client, if different types of clients exist.
  • Manage Client Association: allows you to perform Branch/Centre/Credit Officer association actions when you create or edit clients. Allows you to perform single reassign or bulk reassign actions from Clients custom view. See Assigning Clients to Credit Officers and Branches.
  • Edit Client Id: allows you to manually change the system-generated random client or group ID.
Groups

The Groups category contains the following permissions:
  • View Group Details: allows you to access the group or company overview tab and the list of all the existing groups or companies.
  • Create Groups: allows you to create groups. See Create a New Group.
  • Edit Groups: allows you to make changes to the group or company members, basic information and custom fields.
  • Delete Groups: allows you to delete groups provided they don’t have open accounts, transactions, or activities.
  • Change Group Type: allows you to change the group type if different group types exist.
  • Manage Group Association: allows you to perform Branch/Centre/Credit Officer association actions when you create or edit groups. Allows you to perform single reassign or bulk reassign actions from Groups custom view. See Assign Groups to Credit Officers and Branches.
  • Edit Group Id: allows you to edit group ids.
Credit Arrangements

The Credit Arrangements category contains the following permissions:
  • View Credit Arrangement Details: allows you to access the Credit Arrangements overview and related tabs: Schedule, Transactions. See Viewing a Credit Arrangement.
  • Create Credit Arrangements: allows you to create a new credit arrangement for a client. See Creating a New Credit Arrangement and Exposure Limits.
  • Edit Credit Arrangements: allows you to edit an existing credit arrangement. See Editing a Credit Arrangement.
  • Approve Credit Arrangements: allows you to approve credit arrangements that are in Pending Approval state.
  • Undo Approve Credit Arrangements: allows you to undo approval of a credit arrangement.
  • Withdraw Credit Arrangements: allows you to withdraw a credit arrangement that hasn’t been approved yet.
  • Undo Withdraw Credit Arrangements: allows you to undo the withdrawal of a credit arrangement.
  • Reject Credit Arrangements: allows you to reject a credit arrangement that hasn’t been approved yet.
  • Undo Reject Credit Arrangements: allows you to undo the rejection of a credit arrangement.
  • Add Accounts to Credit Arrangements: allows you to add a new account to an existing credit arrangement. See Adding Accounts to a Credit Arrangement.
  • Remove Accounts from Credit Arrangement: allows you to remove an account from a credit arrangement. See Removing Accounts from a Credit Arrangement.
  • Close Credit Arrangements: allows you to close an existing credit arrangement. See Closing a Credit Arrangement.
  • Delete Credit Arrangements: allows you to delete a credit arrangement. See Deleting a Credit Arrangement.
Loan Accounts

The Loan Accounts category contains the following permissions:
  • View Loan Account Details: allows you to access the list of loan accounts and the accounts’ overview screen.
  • Create Loan Accounts: allows you to create a new loan account. See Creating a New Loan Account.
  • Edit Loan Accounts: allows you to change existing loan accounts, rename and add custom fields, and change account parameters for unapproved loans. See Editing a Loan.
  • Delete Loan Accounts: allows you to delete loan accounts, provided they don’t have transactions or activities.
  • Enter Repayments: allows you to enter payments. See Processing Loan Repayments.
  • Edit Repayment Schedule: for fixed products that have this setting enabled at product level, it allows you to edit items on the loan schedule. See Editing Repayment Schedule.
  • Approve Accounts: allows you to approve loans that are in Pending Approval state. See Approving a Loan Account.
  • Request Loan Approval: submitting for approval loans that are in Partial Application state.
  • Disburse Loans: allows you to disburse loans that are in Approved state. See Disbursing a loan.
  • Withdraw Loan Accounts: allows you to withdraw a loan account that hasn’t been disbursed yet. See Withdrawing a Loan.
  • Undo Withdraw Loan Accounts: allows you to undo a withdrawal of a loan account. See Undoing a Loan Withdrawal.
  • Set Loan Incomplete: allows you to undo submitting a loan for approval by changing the account’s state from Pending Approval to Partial Application.
  • Reject Loan Accounts: allows you to reject loan accounts that are in Pending Approval or Partial Application state. See Rejecting a Loan Account.
  • Undo Reject Loan Accounts: allows you to undo a rejection of a loan account. See Undoing a Loan Rejection.
  • Close Repaid Loan Accounts: allows you to close accounts that have been fully repaid. See Closing a Loan.
  • Write Off Loan Accounts: allows you to write off a loan account that has pending balance. See Writing-off a Loan.
  • Pay Off Loan Accounts: allows you to completely settle a loan account. See Paying-off a Loan.
  • Undo Close: allows you to undo non-write off loan closures.
  • Undo Write Off: allows you to undo the write off of a loan account. See Undoing a Write-off.
  • Refinance Loan Account: allows you to refinance a loan. See Rescheduling and Refinancing Loans.
  • Reschedule Loan Account: allows you to reschedule a loan. See Rescheduling and Refinancing Loans.
  • Apply Accrued Interest: allows you to charge the interest accrued to date (if applicable). See Interest Calculation Methods in Loans.
  • Apply Loan Account Fees: allows you to charge manual fees to the account. See Applying and Reversing Fees and Penalties.
  • Apply Loan Adjustments: allows you to reverse loan transactions, provided reversal is allowed for the transaction. It also allows you to undo approval of loan accounts. See Revert Last Repayment or Undo a Loan Account Approval.
  • Backdate Loan Transactions: allows you to post transactions with a past date.
  • Set Settlement Accounts: allows you to set a settlement deposit account for a loan account.
  • Collect Securities: when a loan is written off, this permission allows collection of secured amounts from the Mambu savings account. See Collecting Securities.
  • View Securities Details: enables access to the Security tab for loan accounts. Allows you to view securities.
  • Create Securities: enables access to the Security tab for loan accounts. Allows you to create securities.
  • Edit Securities: enables access to the Security tab for loan accounts. Allows you to edit securities.
  • Delete Securities: enables access to the Security tab for loan accounts. Allows you to remove securities.
  • ** Lock Loan Accounts**: allows you to set an account to Locked status in which no automated transactions are posted to the account. See Locking Loans.
  • Post Transactions on Locked Accounts: allows you to post repayments and fees into locked accounts.
  • Edit Loan Tranches: allows you to modify the tranches of an existing loan account.
  • Edit Penalty Rate: allows you to change the penalty rate of an existing loan account. See Loan Penalties Setup.
  • Set Disbursement Conditions: allows you to define disbursement conditions when entering a loan application and overriding them when disbursing the account.
  • Edit Loan Transactions: allows you to edit custom fields on loan transactions that are already posted.
  • Bulk Loan Corrections: allows you to backdate or reverse transactions on loan accounts. See Bulk Adjusting Transactions.
  • Edit Interest Rate: allows you to edit the interest rate on active loan accounts. See Change Interest Rate.
  • Edit Periodic Payment for Active Accounts: allows you to change periodic payments for active accounts.
  • Edit Principal Payment for Active Revolving Credit: edit principal payment amount on active Revolving Credit loan accounts.
  • Perform Repayments with Custom Amounts Allocation: allows you to make repayments with a custom allocation of the repaid amount. See Enter a Custom Repayment.
  • Manage Loan Association: allows you to associate a loan account to a specific branch. See Loan Association.
  • Make Withdrawal Redraw:
Deposit Accounts

The Deposit Accounts category contains the following permissions:
  • View Deposit Account Details: allows you to access the list of deposit accounts and the accounts’ overview screen.
  • Create Deposit Accounts: allows you to create new deposit accounts. See Creating a Deposit Account.
  • Edit Deposit Accounts: allows you to edit existing accounts. See Editing Accounts.
  • Delete Deposit Accounts: allows you to delete a deposit account with no transactions. See Closing Accounts.
  • Make Deposit: allows you to post a deposit transaction. See Enter a Deposit.
  • Make Withdrawal: allows you to post a withdrawal transaction. See Make Withdrawals.
  • Make Early Withdrawals: allows you to make a withdrawal before the maturity date is reached. See Early Withdrawals in Fixed Deposits.
  • Approve Deposit Account: allows you to approve deposit accounts that are in Pending Approval state. See Approving a Deposit Account Application.
  • Activate Maturity: allows you to set a maturity date for deposit accounts, if applicable (for fixed deposits and savings plans only). See Setting up a Maturity Period.
  • Close Deposit Accounts: allows you to close a deposit account with zero balance. It also allows you to write off overdraft accounts with overdraft balance. See Closing Accounts.
  • Apply Deposit Account Fees: allows you to change manual fees to deposit accounts. See Applying Fees.
  • Re-open Deposit Accounts: allows you to reopen closed deposit accounts. See Re-opening a Deposit Account.
  • Apply Deposit Account Adjustments: allows you to reverse deposit accounts transactions and to undo approval.
  • Lock Deposit Account: allows you to set an account to Locked status in which no automated transactions are posted to the account. See Locking and Unlocking Accounts.
  • Unlock Deposit Account: allows you to unlock a deposit account. See Locking and Unlocking Accounts.
  • Undo Write Off: allows you to undo the write off of a deposit account.
  • Backdate Deposit Transactions: allows you to post transactions with a past date. See Backdating Deposits and Withdrawals.
  • Make Intra-clients Transfers: allows you to post transfer transactions from a deposit account to other deposit or loan accounts belonging to the same client. See Make Transfers.
  • Make Inter-clients Transfers: allows you to post transfer transactions from a deposit account to other deposit or loan accounts belonging to different clients. See Make Transfers.
  • Post Transactions on Dormant Accounts: allows you to post transactions on accounts that are dormant, meaning they have been inactive for a number of days defined in the initial setup.
  • Apply Accrued Interest: allows you to charge the interest accrued to date (if applicable).
  • Edit Deposit Transactions: allows you to edit custom fields on deposit transactions that are already posted.
  • Bulk Deposit Corrections: allows you to backdate or reverse transactions on deposit accounts.
  • Undo Maturity: allows you to undo the maturity date for deposit accounts, if applicable (for fixed deposits and savings plans only).
  • Block and Seize Funds: allows you to block funds from deposit accounts.
Documents

The Documents category contains the following permissions:
  • View Documents: allows you to view any attachment across Mambu.
  • Create Documents: allows you to add and attach new files. See Creating a Document.
  • Edit Documents: allows you to edit attached files.
  • Delete Documents: allows you to delete attached files.
Tasks

The Tasks category contains the following permissions:
Reporting

The Reporting category contains the following permissions:
Accounting

The Accounting category contains the following permissions:
  • Manage Chart of Accounts: allows you to create and edit GL accounts.
  • Log Journal Entries: allows you to create and post journal entries.
  • View Accounting Reports: allows you to view accounting reports. See Accounting Reports.
  • Make Accounting Closures: allows you to make periodical closures. See Accounting Closures.
  • Delete Accounting Closures: allows you to edit or delete accounting closures.
  • Booking Date Loans Journal Entries: allows you to select the journal entry booking date of a given loan transaction.
  • Booking Date Deposits Journal Entries: allows you to select the journal entry booking date of a given deposit transaction.
  • Rectify Adjustment After Accounting Closures: allows you to rectify and adjust a transaction after an account closure, by allowing a booking date input after the accounting closure.
Tellering

The Tellering category contains the following permissions:
  • Open Till: permission normally granted to a supervisor or vault teller. Allows opening a till for a regular teller. See Opening a Till.
  • Close Till: permission normally granted to a supervisor or vault teller. Allows closing a till for a regular teller. See Closing a Till.
  • Add Cash: allows you to post repayments or deposits. See Processing Loan Repayments and Entering Deposits.
  • Remove Cash: allows you to post disbursements or withdrawals. See Disbursing a Loan or Making Withdrawals.
  • Post Transaction without a Till: allows you to post repayments, deposits, disbursements, and withdrawals without a till.
Funds

The Funds permission enables access to the Funding tab for Loans and Investment Deposit Accounts. It allows you to manage funding sources.

Particular actions that depend on permission combinations

There are certain actions that a user can perform in Mambu without having a specific permission in place for them, they depend upon other permissions or user types.

  • Only Administrator users can create Views which are available for other users.
  • Only the user who created a task can edit it.
  • To transfer transactions, users need to also have “Enter Repayments” or “Make Deposit” permission (if the transfer is meant to become a repayment in a loan account or a deposit in a savings account).
  • For rescheduling loans, users also need the “Create Loan” permission.
  • To revert a certain type of transaction, besides the "Apply Loan/Deposit product adjustments", the user requires the permission to post that type of transaction. For example, to revert a repayment, the user must have the "Enter Repayments" permission as well.
  • To change the Loan's Account branch, a new "Manage Loan Association" permission was added, which is disabled by default. Without this permission, the branch box from the Create Loan Account form and the Edit Loan Account form will be in read-only and you won’t be able to change the branch.

Ask the Mambu Community

If you have a question about how anything works or have come across something you haven't seen explained here, get in touch with our community of fellow users and Mambuvians where someone will lend a hand.

Was This Article Helpful?