Use this runbook to identify the control that blocks a Compliance Platform workflow. Start with the affected scope and the exact error before changing access or configuration.
Arcane evaluates organization, application, permission, assignment, contract, and time boundaries together. An active organization member can still be unable to perform an action in a particular application or case.
Before retrying a state-changing action, check the current record status and activity history. Do not repeatedly submit a request, approval, or configuration change when the previous result is unknown.

Determine the impact

Observed impactCheck firstOwner
One user is affectedSession, organization membership, access expiry, and application permissionsUser, then Organization administrator
One application is affectedApplication assignment and contract associationApplication administrator
One case or report is affectedWorkflow status, case assignment, approved scope, and access windowApplication administrator
Several authorized users or applications fail at the same timeShared configuration or service operationDeployment owner / Arcane support
If several authorized users are affected, preserve the exact error and UTC time before changing shared permissions. Broad access changes can hide the original cause and introduce unnecessary exposure.

Quick triage

SymptomOwnerFirst check
You cannot sign in or the session endsUserRefresh the authentication session and confirm the intended organization.
The organization opens but an application does notApplication administratorCheck the application assignment and organization scope in Applications.
A button is unavailable or an action returns ForbiddenApplication administratorCompare the action with the user’s application permissions.
A case request remains PendingApplication administratorReview the approval state in the application where the request was created.
An approved case cannot be openedApplication administratorVerify the case assignment, application scope, and access window.
A case contains no transactionsUser, then Deployment owner / Arcane supportClear filters and compare the review period and application contract with the expected transaction.
A report cannot be created or downloadedApplication administratorCheck the relevant report permission, case scope, and current application.

Authentication and membership

The platform rejects requests without a valid authorization token. Messages such as Missing authorization token or Invalid or expired token refer to the session, not to an application permission.
  1. Sign in again through the normal organization login flow.
  2. Return to the required application from the organization workspace.
  3. Repeat a read operation first.
If the new session is also rejected, confirm that the identity belongs to the organization selected during sign-in.Owner: User, then Organization administrator.Resolved when: A new session opens the intended organization and a read operation completes.
No active membership for the selected organization means that the current user does not have an active membership in that organization.
  • If the invitation is pending, accept it before using the platform.
  • If the membership was suspended, an authorized organization administrator must reactivate it.
  • If the user belongs to another organization, sign in through the intended organization instead of reusing a saved application URL.
Owner: Organization administrator.Resolved when: The membership is active for the intended organization and the user can open its workspace.
When the configured member access expiry passes, the platform blocks the organization session with Time-limited access has expired.An authorized administrator can extend access that was configured as time-limited. Permanent access does not have an expiry to extend. Review the member’s application assignments and permissions when extending access; a new membership period does not broaden the previous scope.Owner: Organization administrator.Resolved when: The renewed access period is active and the existing application scope works as intended.

Permissions

Arcane reports the first missing permission as Missing required permission: <permission>. Permissions are evaluated for the current organization and, where applicable, the current application.
ActionRequired permissionOwner
View available applicationsapplications:readOrganization administrator
Create or manage an applicationapplications:createOrganization administrator
Manage application administratorsadmins:manage_application_administratorsOrganization administrator
Create a case requestcases:createApplication administrator
Withdraw a pending case requestcases:withdraw_pending_requestApplication administrator
Approve or reject case creationcases:approve_creationApplication administrator
Add or remove case auditorscases:editApplication administrator
View case transactions and analyticsreports:view_transactionsApplication administrator
Create a case reportreports:createApplication administrator
View the report listreports:listApplication administrator
Download a reportreports:downloadApplication administrator
View application activitylogs:view_activityApplication administrator
If a permission is missing:
  1. Confirm the application shown in the current workspace.
  2. Open the member in User management.
  3. Review the permission groups for that application assignment.
  4. Grant only the permission required for the user’s responsibility.
  5. Reload the workspace and repeat a read operation before retrying a write.
A role name is not proof that a permission is active. Arcane evaluates the stored permission buckets for the current application.
The issue is resolved when the required action succeeds in the intended application without broadening unrelated access.

Organization and application issues

An organization in the Under Review state can prepare applications and its access structure, but its applications cannot operate. Wait for the platform administrator to complete verification and move the organization to Active.Creating another application does not bypass organization verification.Owner: Arcane platform administrator.Resolved when: The organization is Active and its configured applications can operate.
Check the following in order:
  1. The authenticated session belongs to the organization that owns the application.
  2. The user has applications:read.
  3. The application appears in Applications.
  4. The user has an assignment for that application.
  5. The assignment contains the permission required for the intended action.
Revoked applications are removed from active application queries. The current management interface does not expose an application restore operation.Owner: Organization administrator, then Application administrator.Resolved when: The application appears in Applications and opens from the intended organization workspace.
Application routes are resolved by workspace identifier inside the current organization. This error can mean that the identifier is incorrect, the application belongs to another organization, or the application has been revoked.Return to Applications and open the application from the list. Do not edit the workspace identifier in the browser address manually.Owner: Organization administrator.Resolved when: The application opens from its organization workspace. A revoked application remains unavailable.

Case request issues

Confirm all of the following:
  • the requester has cases:create in the current application;
  • the request includes a basis, reason, review period, and access duration;
  • at least one auditor is assigned;
  • every assigned auditor belongs to the same organization, has an assignment for the current application, and holds reports:view_transactions;
  • requested disclosure fields are limited to what the stated purpose requires.
At least one assigned auditor is required means no reviewer was selected. One or more assigned auditors are invalid for this application means that at least one selected member does not satisfy the application and permission requirements.Owner: Requester for request content; Application administrator for access and assignments.Resolved when: A valid request is recorded as Pending in the current application.
This is the expected state until an application administrator with cases:approve_creation records the required approval. A pending request does not provide access to private evidence.Confirm that the administrator is reviewing the request from the application where it was created. The requester can withdraw a pending request if it is no longer required.Owner: Application administrator.Resolved when: The request is approved or rejected and no longer appears as Pending.
Review the current request status before trying again:
  • a closed request cannot be approved;
  • an approved request cannot be rejected as pending;
  • the same reviewer cannot record the same approval twice;
  • a request from another application or organization is unavailable in the current workspace.
If approval reports that application contract metadata is incomplete, review the application’s contract association. Escalate the issue if the correct contract is already associated; the case cannot be created from the stored application metadata.Owner: Application administrator, then Deployment owner / Arcane support.Resolved when: The final request state is visible and, after approval, the case is created in the same application.

Approved case issues

Check the case identifier and current application first. Case lookup also requires the user’s case assignment and an overlapping application contract scope.For isolation, an out-of-scope case can be reported as not found. Do not treat this response as evidence that the case does not exist elsewhere. Ask an application administrator to verify the assignment and application boundary.Owner: Application administrator.Resolved when: The assigned user opens the case from the application that owns it. An out-of-scope case must remain unavailable.
Case access window has expired means the approved case reached the end of its configured access duration. The platform blocks case details, transactions, analytics, and case-based report generation after expiry.Changing filters or reassigning the same URL does not extend the approved window. If review must continue, use the approved case-request workflow to establish a new access basis and duration.Owner: Requester and Application administrator through the case-request workflow.Resolved when: A newly approved case provides an active, purpose-bound access window. The expired case remains closed.
Confirm that:
  • the auditor’s organization membership is active;
  • time-limited member access has not expired;
  • the auditor holds reports:view_transactions in the current application;
  • the case assignment is active and has not been removed;
  • the case belongs to the current application and contract boundary;
  • the case access window has not expired.
Adding or removing case auditors requires cases:edit. The platform rejects a duplicate active assignment and an attempt to remove an assignment that is already removed.Owner: Application administrator.Resolved when: The assigned auditor opens the active case from the intended application and can view only its approved evidence scope.

Transactions and disclosure

Use this sequence:
  1. Clear search, operation-type, and optional date filters.
  2. Confirm that the case review period includes the expected transaction date.
  3. Confirm that the case was opened from the correct application.
  4. Verify that the application’s associated contract is inside the approved case contract scope.
  5. Record the public or stable transaction identifier and UTC time, if available.
  6. If the transaction is expected inside the approved boundary but remains absent, escalate with those identifiers. Do not include a private payload.
The platform rejects a filter range when its start is after its end or when it extends beyond the approved case period. A narrower range is allowed only inside the case boundary.Owner: User for filters and scope checks; Deployment owner / Arcane support for an expected record that remains unavailable.Resolved when: Expected transactions appear inside the approved case scope, or the escalation identifies why the record is outside the available evidence.
This is normally a disclosure-scope result, not a loading failure.
  • Full transaction hashes require the transaction-identifiers disclosure option.
  • Sender information requires the corresponding sender disclosure option.
  • Recipient or withdrawal-destination information requires the corresponding recipient disclosure option.
Unselected fields remain hidden even when the auditor can view the case. Use the governed disclosure workflow if additional fields are required. Do not attempt to obtain them outside the approved case.Owner: Requester and Application administrator through the case-request workflow.Resolved when: The available fields match the approved disclosure scope. Additional disclosure requires a new approved basis.

Report issues

Check that the user has reports:create, can access the active case, and is working in the application that owns the case. For a custom date range, both dates are required, the start cannot be after the end, and the entire range must remain inside the approved case period.
MessageMeaning
Invalid custom report periodA required date is missing or the start is after the end.
Custom report period exceeds approved case scopeThe requested report range is broader than the case period.
Case not foundThe case identifier, application, assignment, or contract scope does not resolve for the current user.
Case access window has expiredThe case is no longer available for report generation.
Owner: User for date selection; Application administrator for permissions and case scope.Resolved when: The report is created from an active case and remains inside its approved period.
Report creation, listing, and download use separate permissions. Confirm reports:list for Reports and reports:download for file access. Reports are organization-scoped; a report identifier from another organization returns Report not found.Owner: Application administrator.Resolved when: The user can list or download the report in the organization where it was created.

API and integration errors

Use the HTTP response with the exact error message. The status alone does not identify every access boundary.
ResponseOperational meaning
400 Bad RequestSubmitted fields, a date range, an assignment, or the current record state is invalid. Correct the request before retrying.
401 UnauthorizedThe authorization token is missing, invalid, or expired. Sign in again.
403 ForbiddenMembership, access expiry, permission, assignment, or case-access controls block the action. Identify the exact control before changing access.
404 Not FoundThe resource does not resolve inside the current organization and application scope. Do not infer that it exists or does not exist elsewhere.
409 ConflictThe action conflicts with recorded workflow state, such as a duplicate approval or incomplete metadata needed to create a case.
500 Internal Server ErrorThe platform could not complete an unexpected operation. Preserve the request context and escalate if the error repeats.
Before retrying a write request, read the relevant record and activity history. Preserve the UTC time, endpoint, response status, exact error, and a sanitized request correlation identifier if the deployment provides one.

Escalate safely

If the issue remains after the relevant checks, collect:
  • UTC date and time of the failure;
  • organization name and identifier;
  • application name and workspace identifier;
  • user’s role and the permission named in the error, if any;
  • case-request, case, report, or public transaction identifier, where applicable;
  • exact error message and response status;
  • action performed immediately before the error;
  • whether another authorized user with the same scope can reproduce the issue.
Use the support channel assigned to your deployment. If you do not know it, contact your organization’s Arcane deployment owner.
Never include access tokens, passwords, recovery phrases, wallet secret keys, private audit decoding material, or unredacted private transaction payloads. Redact screenshots and exported files before sharing them.

Start and setup

Review organization verification and activation.

User management

Review memberships, application assignments, and access expiry.

Create a case

Review the case request, approval, and access lifecycle.

Contact support

Review the approved escalation path and evidence requirements.