Skip to main content

Access Controls (Access Groups)

Emmanuel Winkler
Updated

Access controls let you control which users can access which specific data in Avallone.

They work by granting access to resources (Companies, Officers, Packages, and Cases) to members of a group. If you’re not in a group that has access to a given resource, Avallone will show it as locked/disabled.

At the moment, Access Groups apply inside KYC Responder.

Key concepts

1) Members

Members are the users who belong to an Access Group. Members inherit the group’s access to resources.

2) Resources

Resources are the items an Access Group can grant access to:

  • Companies
  • Officers
  • Packages
  • Cases (Responder)

In practice, many customers use Permission Groups to define roles (e.g., “KYC Managers”, “View only”) and Access Groups to enforce data boundaries (e.g., by region, business unit, or legal entity).

How it works (what users experience)

Companies & officers

If a user does not have access to a specific company or officer:

  • The item will appear locked/disabled in lists

Even when access is restricted, users may still be able to see structure (e.g., that an officer is related to a company), but they will not be able to open restricted profiles or perform actions on them.

Packages & cases

Packages and Cases are dependent resources: a user can only open a package/case if they have access to all underlying companies and officers included in that package/case.

If the user is missing access to any underlying company/officer, Avallone will block access and may show what access is missing.

What gets added automatically (and what doesn’t)

During day-to-day usage, some resources are added automatically to Access Groups, but not everything:

  1. New companies created by a user are added to all access groups that user is a member of.
  2. New officers created by a user are added to all access groups that user is a member of.
  3. New packages created by a user are added to all access groups that user is a member of.
    • For security reasons, the related companies/officers of a package are not added automatically.
  4. New cases created by a user are added to all access groups that user is a member of.
    • For security reasons, the related companies/officers of a case are not added automatically.

This means that if a group should have access to the companies/officers behind a package or case, those companies/officers must be added to the group separately.

How to set it up (admin guide)

Step 1: Decide your access model

Common patterns include:

  • By country/region (e.g., Nordics, DACH, US)
  • By company / officer
  • Central team + local teams (central team can access all; local teams can access a subset)

Define:

  • Which Access Groups you need
  • Who belongs in each group
  • Which companies/officers should be assigned to each group

Step 2: Ensure the right admins can manage Access Groups

Managing Access Groups is a powerful admin capability.

We recommend:

  • Creating a dedicated permission group for access-control admins (e.g., “Access Administrators”)
  • Limiting membership to a small number of trusted admins

Step 3: Enable Access Groups for your tenant

Access Groups (fine-grained authorization) must be enabled for the tenant. Please reach out to your Customer Success Manager or Avallone support to enable.

After enabling, users may need to log out / switch tenants (or refresh) for the change to take effect.

Step 4: Create Access Groups and assign members

In Settings → Access Groups:

  1. Create the group(s)
  2. Add the right members
  3. Assign resources (companies/officers/packages/cases)

Step 5: Validate with test users

Before rolling out widely:

  • Test with at least one user from each group
  • Confirm that restricted users cannot open data they shouldn’t access
  • Confirm that users who should have access can complete their workflows (create cases, create packages, share, etc.)

Tips & troubleshooting

  • If a user reports “I can’t open this case/package”, check whether the user is missing access to one of the underlying companies or officers.
  • If a user can’t find “Access Groups” in settings, verify they have the required admin permissions and that the feature is enabled for the tenant.

Support

If you’d like help designing your Access Group model or setting up your groups, contact Avallone support.

Related articles