Understand user roles
Mod AI uses a two-level role system. Knowing your role tells you which features are available to you and who to ask when you need different access.
Two layers
- Organization roles. Control access to organization-wide settings, billing, and user management across every entity in your organization.
- Entity roles. Control what you can do inside a specific entity, like processing invoices, approving, or managing settings.
You hold one organization role, plus one entity role per entity. For example, you can be an organization Member with Administrator in one entity and AP Specialist in another.
Organization roles
| Role | What it covers |
|---|---|
| Administrator | Full organization access. Manages organization settings, invites and removes users, and configures entities. Holds every primary and company permission via wildcards. |
| Member | Organization-level identity only. Company access comes from the entity roles you hold. |
Ownership transfer and other organization-wide ownership questions are handled by Mod AI support. Contact support@usemod.ai if you need help.
Entity roles
Five built-in entity roles cover the standard access patterns most AP teams use. Built-in roles are immutable and cannot be deleted. Custom roles can be created on top of these.
Administrator
Full control over the entity. Administrators manage settings, configure integrations, set up approval policies, customize the Agent, and process invoices. Usually held by the AP manager or controller responsible for the entity.
Controller
Finance leadership. Approves at any tier, holds, cancels, exports, and oversees AP operations. Suited to controllers and finance leads who own day-to-day oversight without needing settings-level write access.
AP Specialist
Owns invoice intake and processing. Creates, edits, validates, approves, rejects, deletes, restores, and routes invoices. The most common role for AP team members handling daily invoice processing.
Approver
Reviews and approves or rejects invoices routed to them. Limited access to settings and cannot manage users. Ideal for department heads or budget owners who only need to approve spend.
If an Approver holds no other roles, they see the restricted approver mode, which hides everything except invoices waiting on their approval.
Auditor
Read-only access to all data in the entity. Auditors can view invoices, purchase orders, receipts, vendors, and approval history but cannot make changes. Designed for internal or external audit work.
Permission table
| Permission | Administrator | Controller | AP Specialist | Approver | Auditor |
|---|---|---|---|---|---|
| View invoices | Yes | Yes | Yes | Yes | Yes |
| Edit invoices | Yes | Yes | Yes | Yes | No |
| Upload invoices | Yes | Yes | Yes | No | No |
| Approve or reject invoices | Yes | Yes | Yes | Yes | No |
| Hold, resume, cancel invoices | Yes | Yes | Yes | Yes | No |
| Manage vendors and other fields | Yes | View | View | View | View |
| Manage approval policies | Yes | Yes | No | No | No |
| Customize the Agent | Yes | Yes | Yes | No | No |
| Manage users | Yes | No | No | No | No |
| Manage entity settings | Yes | No | No | No | No |
| View activity log | Yes | Yes | Yes | Yes | Yes |
If you are not sure which role you have, ask your entity Administrator. They can view and update roles in Entity Users settings.
Custom roles
If the built-in five do not exactly match a particular team member's responsibilities, an Administrator can create a custom role with any combination of permissions. See Roles and permissions for the role editor.
How roles get assigned
Administrators (or organization Administrators) assign roles when inviting a user or updating an existing user's access.
- When you are invited, the Administrator selects both your organization role and your entity role for each entity.
- After you join, an Administrator can change your entity role at any time in Entity Users settings.
- You cannot change your own role. If you need different access, ask your entity Administrator.
Lock icons
A lock icon next to a sidebar item means your current role does not have access to that section.
- Administrators, Controllers, AP Specialists, and Auditors see no locks on the top-level sidebar. Auditors can view everything but editing actions are disabled inside each section.
- Approvers see a lock on Inbox because their work is routed through individual approval requests rather than the shared inbox queue. If their only role is Approver, they see the restricted approver view instead and Inbox is hidden entirely.
- Settings, which lives in the avatar menu rather than the sidebar, is gated by
company:settings:manage— only Administrators have it by default.
If you need access to a locked section, ask your entity Administrator.
