Arcane evaluates organization, application, permission, assignment, contract,
and time boundaries together. An active organization member can still be
unable to perform an action in a particular application or case.
Determine the impact
| Observed impact | Check first | Owner |
|---|---|---|
| One user is affected | Session, organization membership, access expiry, and application permissions | User, then Organization administrator |
| One application is affected | Application assignment and contract association | Application administrator |
| One case or report is affected | Workflow status, case assignment, approved scope, and access window | Application administrator |
| Several authorized users or applications fail at the same time | Shared configuration or service operation | Deployment owner / Arcane support |
Quick triage
| Symptom | Owner | First check |
|---|---|---|
| You cannot sign in or the session ends | User | Refresh the authentication session and confirm the intended organization. |
| The organization opens but an application does not | Application administrator | Check the application assignment and organization scope in Applications. |
A button is unavailable or an action returns Forbidden | Application administrator | Compare the action with the user’s application permissions. |
A case request remains Pending | Application administrator | Review the approval state in the application where the request was created. |
| An approved case cannot be opened | Application administrator | Verify the case assignment, application scope, and access window. |
| A case contains no transactions | User, then Deployment owner / Arcane support | Clear filters and compare the review period and application contract with the expected transaction. |
| A report cannot be created or downloaded | Application administrator | Check the relevant report permission, case scope, and current application. |
Authentication and membership
The session is missing or expired
The session is missing or expired
The platform rejects requests without a valid authorization token. Messages
such as
Missing authorization token or Invalid or expired token refer to
the session, not to an application permission.- Sign in again through the normal organization login flow.
- Return to the required application from the organization workspace.
- Repeat a read operation first.
There is no active organization membership
There is no active organization membership
No active membership for the selected organization means that the current
user does not have an active membership in that organization.- If the invitation is pending, accept it before using the platform.
- If the membership was suspended, an authorized organization administrator must reactivate it.
- If the user belongs to another organization, sign in through the intended organization instead of reusing a saved application URL.
Time-limited member access has expired
Time-limited member access has expired
When the configured member access expiry passes, the platform blocks the
organization session with
Time-limited access has expired.An authorized administrator can extend access that was configured as
time-limited. Permanent access does not have an expiry to extend. Review the
member’s application assignments and permissions when extending access; a new
membership period does not broaden the previous scope.Owner: Organization administrator.Resolved when: The renewed access period is active and the existing
application scope works as intended.Permissions
Arcane reports the first missing permission asMissing required permission: <permission>. Permissions are evaluated for the
current organization and, where applicable, the current application.
| Action | Required permission | Owner |
|---|---|---|
| View available applications | applications:read | Organization administrator |
| Create or manage an application | applications:create | Organization administrator |
| Manage application administrators | admins:manage_application_administrators | Organization administrator |
| Create a case request | cases:create | Application administrator |
| Withdraw a pending case request | cases:withdraw_pending_request | Application administrator |
| Approve or reject case creation | cases:approve_creation | Application administrator |
| Add or remove case auditors | cases:edit | Application administrator |
| View case transactions and analytics | reports:view_transactions | Application administrator |
| Create a case report | reports:create | Application administrator |
| View the report list | reports:list | Application administrator |
| Download a report | reports:download | Application administrator |
| View application activity | logs:view_activity | Application administrator |
- Confirm the application shown in the current workspace.
- Open the member in User management.
- Review the permission groups for that application assignment.
- Grant only the permission required for the user’s responsibility.
- Reload the workspace and repeat a read operation before retrying a write.
A role name is not proof that a permission is active. Arcane evaluates the
stored permission buckets for the current application.
Organization and application issues
An application is not visible
An application is not visible
Check the following in order:
- The authenticated session belongs to the organization that owns the application.
- The user has
applications:read. - The application appears in Applications.
- The user has an assignment for that application.
- The assignment contains the permission required for the intended action.
The platform returns Application not found
The platform returns Application not found
Application routes are resolved by workspace identifier inside the current
organization. This error can mean that the identifier is incorrect, the
application belongs to another organization, or the application has been
revoked.Return to Applications and open the application from the list. Do not edit
the workspace identifier in the browser address manually.Owner: Organization administrator.Resolved when: The application opens from its organization workspace. A
revoked application remains unavailable.
Case request issues
A case request cannot be submitted
A case request cannot be submitted
Confirm all of the following:
- the requester has
cases:createin the current application; - the request includes a basis, reason, review period, and access duration;
- at least one auditor is assigned;
- every assigned auditor belongs to the same organization, has an assignment
for the current application, and holds
reports:view_transactions; - requested disclosure fields are limited to what the stated purpose requires.
At least one assigned auditor is required means no reviewer was selected.
One or more assigned auditors are invalid for this application means that at
least one selected member does not satisfy the application and permission
requirements.Owner: Requester for request content; Application administrator for access
and assignments.Resolved when: A valid request is recorded as Pending in the current
application.The request remains Pending
The request remains Pending
This is the expected state until an application administrator with
cases:approve_creation records the required approval. A pending request does
not provide access to private evidence.Confirm that the administrator is reviewing the request from the application
where it was created. The requester can withdraw a pending request if it is no
longer required.Owner: Application administrator.Resolved when: The request is approved or rejected and no longer appears as
Pending.Approval or rejection fails
Approval or rejection fails
Review the current request status before trying again:
- a closed request cannot be approved;
- an approved request cannot be rejected as pending;
- the same reviewer cannot record the same approval twice;
- a request from another application or organization is unavailable in the current workspace.
Approved case issues
The platform returns Case not found
The platform returns Case not found
Check the case identifier and current application first. Case lookup also
requires the user’s case assignment and an overlapping application contract
scope.For isolation, an out-of-scope case can be reported as not found. Do not treat
this response as evidence that the case does not exist elsewhere. Ask an
application administrator to verify the assignment and application boundary.Owner: Application administrator.Resolved when: The assigned user opens the case from the application that
owns it. An out-of-scope case must remain unavailable.
The case access window has expired
The case access window has expired
Case access window has expired means the approved case reached the end of its
configured access duration. The platform blocks case details, transactions,
analytics, and case-based report generation after expiry.Changing filters or reassigning the same URL does not extend the approved
window. If review must continue, use the approved case-request workflow to
establish a new access basis and duration.Owner: Requester and Application administrator through the case-request
workflow.Resolved when: A newly approved case provides an active, purpose-bound
access window. The expired case remains closed.An assigned auditor cannot access the case
An assigned auditor cannot access the case
Confirm that:
- the auditor’s organization membership is active;
- time-limited member access has not expired;
- the auditor holds
reports:view_transactionsin the current application; - the case assignment is active and has not been removed;
- the case belongs to the current application and contract boundary;
- the case access window has not expired.
cases:edit. The platform rejects a
duplicate active assignment and an attempt to remove an assignment that is
already removed.Owner: Application administrator.Resolved when: The assigned auditor opens the active case from the intended
application and can view only its approved evidence scope.Transactions and disclosure
No transactions appear in the case
No transactions appear in the case
Use this sequence:
- Clear search, operation-type, and optional date filters.
- Confirm that the case review period includes the expected transaction date.
- Confirm that the case was opened from the correct application.
- Verify that the application’s associated contract is inside the approved case contract scope.
- Record the public or stable transaction identifier and UTC time, if available.
- If the transaction is expected inside the approved boundary but remains absent, escalate with those identifiers. Do not include a private payload.
Report issues
A report cannot be generated
A report cannot be generated
Check that the user has
Owner: User for date selection; Application administrator for permissions
and case scope.Resolved when: The report is created from an active case and remains inside
its approved period.
reports:create, can access the active case, and is
working in the application that owns the case. For a custom date range, both
dates are required, the start cannot be after the end, and the entire range
must remain inside the approved case period.| Message | Meaning |
|---|---|
Invalid custom report period | A required date is missing or the start is after the end. |
Custom report period exceeds approved case scope | The requested report range is broader than the case period. |
Case not found | The case identifier, application, assignment, or contract scope does not resolve for the current user. |
Case access window has expired | The case is no longer available for report generation. |
A report is not listed or cannot be downloaded
A report is not listed or cannot be downloaded
Report creation, listing, and download use separate permissions. Confirm
reports:list for Reports and reports:download for file access. Reports
are organization-scoped; a report identifier from another organization returns
Report not found.Owner: Application administrator.Resolved when: The user can list or download the report in the organization
where it was created.API and integration errors
For API and integration operators
For API and integration operators
Use the HTTP response with the exact error message. The status alone does not
identify every access boundary.
Before retrying a write request, read the relevant record and activity history.
Preserve the UTC time, endpoint, response status, exact error, and a sanitized
request correlation identifier if the deployment provides one.
| Response | Operational meaning |
|---|---|
400 Bad Request | Submitted fields, a date range, an assignment, or the current record state is invalid. Correct the request before retrying. |
401 Unauthorized | The authorization token is missing, invalid, or expired. Sign in again. |
403 Forbidden | Membership, access expiry, permission, assignment, or case-access controls block the action. Identify the exact control before changing access. |
404 Not Found | The resource does not resolve inside the current organization and application scope. Do not infer that it exists or does not exist elsewhere. |
409 Conflict | The action conflicts with recorded workflow state, such as a duplicate approval or incomplete metadata needed to create a case. |
500 Internal Server Error | The platform could not complete an unexpected operation. Preserve the request context and escalate if the error repeats. |
Escalate safely
If the issue remains after the relevant checks, collect:- UTC date and time of the failure;
- organization name and identifier;
- application name and workspace identifier;
- user’s role and the permission named in the error, if any;
- case-request, case, report, or public transaction identifier, where applicable;
- exact error message and response status;
- action performed immediately before the error;
- whether another authorized user with the same scope can reproduce the issue.
Related guidance
Start and setup
Review organization verification and activation.
User management
Review memberships, application assignments, and access expiry.
Create a case
Review the case request, approval, and access lifecycle.
Contact support
Review the approved escalation path and evidence requirements.