Organization Administrator
Manages the overall organization in the Auditing Portal. Creates and configures applications, invites team members, assigns application-level roles, and accesses organization-wide reports and activity logs. Organization administrator permissions are granted at the organization scope and appear in the
owner bucket of the portal session.Application Administrator
Works within one or more application workspaces. Reviews incoming disclosure requests from auditors, approves or closes them, sets case access windows, and assigns auditors to approved cases. Can view application-level activity logs and list or download application reports.
Auditor
Works within an application workspace on cases they have been assigned to. Creates disclosure requests, reviews interpreted transaction data for approved cases, generates transaction reports, and downloads them. Access to transaction data is always case-scoped and time-bound.
Permission reference
Permissions are grouped into four buckets: owner (organization scope), administrator (application scope), auditor (application scope), and common (application scope, available to all application roles).| Permission key | Bucket | What it allows |
|---|---|---|
applications:create | Owner | Create new applications within the organization |
applications:read | Owner | View the list of applications in the organization |
admins:manage_application_administrators | Owner | Invite, remove, and update application administrators |
logs:view_activity | Owner | View the organization-level activity log |
reports:create | Owner | Generate organization-level reports |
reports:list | Owner | List organization-level reports |
reports:download | Owner | Download organization-level reports |
cases:approve_creation | Administrator | Review, approve, and close disclosure requests from auditors |
cases:edit | Administrator | Manage case auditor assignments on approved cases |
reports:list | Administrator | List reports within an application workspace |
reports:download | Administrator | Download application reports |
logs:view_activity | Common | View the application-level activity log |
cases:create | Auditor | Create a new disclosure request |
cases:withdraw_pending_request | Auditor | Withdraw your own pending disclosure request before it is acted on |
reports:view_transactions | Auditor | Review interpreted transaction data for assigned approved cases |
reports:create | Auditor | Generate transaction reports for an approved case |
reports:list | Auditor | List reports within an application workspace |
reports:download | Auditor | Download generated reports |
The
logs:view_activity permission appears in both the owner bucket (organization scope) and the common bucket (application scope). Organization administrators use it to view organization-wide activity; application-level users use it to view activity within a specific application.Access hierarchy
Permissions in Arcane are layered. Understanding the three levels helps you configure team access correctly. Organization-level permissions are stored in theowner bucket and control access to the organization owner workspace. They cover cross-application actions like creating applications and viewing organization-wide reports. A user with at least one owner permission sees the organization owner workspace in their portal.
Application-level permissions are stored in three buckets on each application assignment: common, administrator, and auditor. A user must have at least one application-level permission to see that application workspace in their portal. Within the workspace, the available actions depend on which permission keys are present in each bucket.
Case-level access is the most granular layer. Even if a user holds auditor-level application permissions, they can only open and review cases they have been explicitly assigned to by an application administrator. Case access also carries an expiry window set at approval — once the window closes, the case is no longer accessible regardless of other permissions.