2. Roles & permissions
Every user has one role per tenant. Roles are set on the Users page (chapter 9).
| Role | Can do | Cannot do |
|---|---|---|
| Organisation admin | Everything inside this tenant: manage users, donors, organisational units, cycle templates, Odoo connection, plus all grant lifecycle actions and budget edits. | Cross-tenant actions (those require Superadmin). |
| Finance officer | Edit budgets, push to Odoo, refresh actuals, advance/award/withdraw applications, edit grants. | Manage users / donors / organisational units / cycles. Touch the Odoo connection. |
| Programme officer | Applications + projects (create, edit, advance, award, withdraw, duplicate). Notes, team, documents. Refresh actuals. | Edit budgets or push them to Odoo. Manage tenant settings. |
| Reviewer | Read everything. Advance / reject applications. Post notes. | Edit anything financial or structural. Award. Withdraw. |
| Light / Portal | Read-only access, plus post notes. | Upload documents. Transition applications. Any write action. |
Superadmin is orthogonal: it crosses tenants. Used by RF for support; you'll rarely see this role inside the tenant UI.
How permissions surface in the UI. Buttons you can't use are hidden, not disabled. If you expect to see a button and don't, check your role with the Organisation admin.