Roles and permissions
The NoFrixion platform uses a flexible roles and permissions system to control what each user can see and do. Understanding how this works is key to managing access across your organisation securely and effectively.
This system follows a model known as Role-Based Access Control (RBAC) — a widely adopted way to manage permissions by assigning users to roles instead of managing access user-by-user.
What roles and permissions are
Every user on the platform is granted access through roles. A role is simply a named collection of permissions — each permission gives access to a specific capability, like viewing transactions, creating payouts, or managing users.
For example, a role called “Viewer” might include permissions to:
View transactions
View payment requests
View payouts
Whereas a role called “Payments Manager” might include additional permissions, like:
Create and authorise payouts
Create payment requests
Roles are designed to be flexible — users can have more than one role, and the permissions from all their roles are combined. This means access is additive: if two roles grant different permissions, the user gets both. There are no “negative” permissions and no built-in hierarchy between roles — a role is only as powerful as the permissions it contains.
Assigning roles to users
Users are invited to a merchant by someone with permission to manage users. Once a user accepts the invitation, they won’t be able to do anything until at least one role has been assigned.
Anyone with the right permission can assign one or more roles to a user, either using default roles provided by NoFrixion or by creating custom roles that reflect your organisation’s needs.
Example
A new finance team member is invited to your merchant. You assign them a custom role called “Junior Finance” that allows them to:
View account transactions
Export statements
View payment requests
View payouts
Later, as their responsibilities grow, you can assign a second role that gives them permission to authorise payouts.
Account-specific access
In NoFrixion, a merchant can have multiple payment accounts. Roles can apply to all accounts, or be limited to specific ones. This lets you tailor access as precisely as you need.
Example
You might want your Irish finance team to have access to your EUR account, but not your GBP or USD accounts. You can assign them a role scoped only to the EUR account.
Users can also have different roles across different accounts — for instance, view-only access to one account and full authorisation rights on another.
Multi-merchant support
A single user can be part of multiple merchants. Each merchant manages that user’s roles independently. There’s no shared access or role inheritance across merchants — it’s as if the user starts fresh each time they’re invited.
Example
A freelance accountant might work with several businesses using NoFrixion. They can be invited to each merchant separately and assigned different roles based on the work they do for each client.
The “Owner” role
Every merchant has one special role called Owner. This role:
Can only be held by one user at a time
Can only be reassigned with NoFrixion’s approval
It’s typically assigned to the first user who sets up the merchant. From there, the Owner can manage all other roles and users.
Consistent and secure
Permissions are enforced consistently across the entire platform — including the business portal, APIs, and any integrated services like notifications or exports. If a user doesn’t have permission to perform an action, they won’t see the option to do so — and API requests will be rejected as well.