Skip to main content

RBAC (Role-based accessed controls)

Measure offers Role-Based Access Controls (RBAC) as a security mechanism to govern access to resources based on predefined roles and associated permissions. RBAC ensures that users are granted appropriate access to perform their tasks while preventing unauthorized access. Measure provides the following roles out-of-the-box

Full Admin

This role provides complete read and write access to all features across the product. Full Admins can:
  • Manage all customers, subscriptions, invoices, and contracts
  • Configure products, pricing plans, and the price book
  • Set up and manage all integrations (payment providers, CRMs, accounting, email)
  • Access analytics, financial reports, and revenue recognition data
  • Configure company settings, branding, and notification settings
  • Manage users and assign roles
  • Configure approval workflows and notification rules
  • Manage tax settings and compliance configuration
Full Admin is intended for operations leads, finance managers, or founders who need unrestricted access to configure and manage the entire platform.

Sales Admin

This role provides read and write access to customers, pricing, subscriptions, and contracts. Sales Admins can:
  • Manage the price book (create, update, and organize products and pricing plans)
  • View and manage all contracts across the sales team
  • Participate in contract approval workflows as an approver
  • Create and manage customers and subscriptions
  • Access all deals regardless of ownership
This role does not include access to analytics, financial reporting, or system settings. Sales Admin is ideal for sales managers and operations leads who oversee the sales team’s deals and maintain pricing consistency.

Sales Rep

This role provides access scoped to the individual sales representative’s own deals and customers. Sales Reps can:
  • View and manage customers assigned to them
  • Create and track contracts for their deals
  • View their own sales commission reports
  • Access pricing and product catalog (read-only)
Sales Reps cannot view deals, customers, or commissions belonging to other team members. This role is ideal for individual contributors on the sales team who need visibility into their own pipeline and earnings without access to organization-wide data.

Customer Support

This role provides read and write access to customers, subscriptions, invoices, payments, and contracts. This includes everything needed to manage renewals and resolve billing issues. Customer Support users can:
  • View and update customer information
  • Manage subscriptions (upgrades, downgrades, cancellations)
  • Process refunds and issue credit notes
  • View and resend invoices
  • Handle contract renewals and amendments
  • Access payment history and retry failed payments
This role does not include access to:
  • Company settings and integrations
  • Analytics and financial reports
  • Product catalog and pricing configuration
  • User management
The Customer Support role is ideal for support and customer success teams who need to resolve billing inquiries and manage the customer lifecycle without access to sensitive financial reporting or system configuration.

Read-Only

This role provides read-only access to all features in the app. Read-Only users can view:
  • Customers and customer details
  • Subscriptions and subscription history
  • Invoices, payments, and payment history
  • Contracts and contract status
  • Products and pricing catalog
  • Analytics and financial reports
  • Usage data and billable metrics
Read-Only users cannot create, edit, or delete any records. This role is useful for stakeholders who need visibility into billing operations without the ability to make changes, such as executives, investors, or external auditors.

Accountant

This role provides read-only access to all features plus write permissions for accounting integrations. Accountants can:
  • View all customers, subscriptions, invoices, and payments
  • View analytics and financial reports
  • Configure and manage accounting integrations (QuickBooks, Xero)
  • Trigger manual syncs to accounting platforms
  • Map accounts and configure accounting export settings
Accountants cannot modify billing data directly (customers, subscriptions, invoices, pricing). This role is ideal for finance team members who need to manage the flow of data to your accounting system while maintaining separation of duties.

Custom Roles

Measure also allows you to define custom roles with granular permissions tailored to your organization’s needs. Custom roles are built using permission building blocks:
  • Read: View records and data
  • Write: Create new records
  • Update: Modify existing records
  • Delete: Remove records
These permissions can be applied independently to each resource type (customers, subscriptions, invoices, contracts, products, integrations, reports). For example, you could create a role that can read all data, create and update subscriptions, but cannot delete anything or access integrations. Contact our support team to configure custom roles for your organization.

Internal Logs

All actions performed in Measure are internally logged and can be audited by the Full Admin role. This log contains the following details. 
    {
        "company_id": "company_xyz",
        "created_at": "2023-06-01 00:55:10.09358+00",
        "action": "credit.created",
        "action_performed_by_user_id": "user_xyz",
        "reference_type": "credit",
        "reference_id": "credit_abc",
        "additional_data": "...",
    }

API Authentication

All API calls to Measure need to be authenticated with an access token. Please review Authentication under our API reference for more details.