Roles & permissions

Sukrit Nidhi has a deliberately small role model with a hard separation between platform concerns (running the service) and tenant concerns (running one centre’s books). A user’s capabilities come from exactly one place — and never from two.

The three levels

Platform AdminSukrit Nidhi staff

→

Tenant Adminone per tenant, at minimum

→

Tenant Userdoes the actual accounting

Level	Scope	What they can do	What they cannot do
Platform Admin	The Sukrit Nidhi platform (no tenant)	Provision new tenants; seed the first Tenant Admin for each tenant; suspend / archive tenants; inspect any tenant read-only; unlock a tenant’s closed period (with reason + step-up); build audit bundles; grant external auditor scopes; read the platform-wide audit log.	Cannot record donations, pay expenses, create master data, or approve anything inside a tenant. The service layer refuses writes from a Platform Admin who does not also hold a Tenant role.
Tenant Admin	One tenant	Everything a Tenant User can do, plus: invite / disable users in the tenant; approve or reject expenses; post approved expenses; lock a period; void posted transactions; manage the tenant’s master data; read the tenant’s audit log.	Cannot see or touch any other tenant. Cannot provision tenants. Cannot unlock a period — only a Platform Admin can.
Tenant User	One tenant	Record donations; submit expenses for approval; create and edit donors / vendors / categories; upload attachments; read every report and statement for the tenant; read the tenant’s audit log.	Cannot approve their own (or anyone else’s) expenses. Cannot lock a period. Cannot invite or disable users. Cannot build audit bundles.
External Auditor (`READ_ONLY_AUDITOR` scope)	One tenant + a date window	Read every posted transaction and every audit-log row for the tenant inside the granted date window. Download the generated audit bundles for that window.	Cannot create, edit, void, or approve anything. Cannot see data outside the granted date window. Cannot build new bundles. Access automatically expires on the scope end date.

How a user acquires a level

Platform Admin is a flag on the User row (is_platform_admin). The very first one is bootstrapped with a management command on a new deployment; after that, existing Platform Admins can promote other Sukrit Nidhi staff from the Users & Roles page.
Tenant Admin and Tenant User are entries in the UserTenantRole table — one row per (user, tenant, role) tuple. A user can hold a Tenant Admin role in Pune and a Tenant User role in Mumbai at the same time.
External Auditor scopes are granted by a Platform Admin with an explicit start and end date. They are time-boxed by design.

A Platform Admin and a Tenant Admin are different people except in a single-person NGO. The right mental model is: the Platform Admin is us (the people who run Sukrit Nidhi); the Tenant Admin is you (the person who runs the centre’s books). Mixing the two is a segregation-of-duties failure.

Segregation of duties inside a tenant

Sukrit Nidhi enforces a few SoD rules at the service layer so one tenant user can never complete the full expense pipeline alone:

A user who submits an expense cannot also approve it — it has to be a different Tenant Admin.
A user who approves an expense cannot be its payee.
Voiding a posted donation or expense requires step-up re-authentication, regardless of role.
Locking or unlocking a period requires step-up and writes a paired audit event.

Granting a role

If you are a Platform Admin

Provision the tenant (see Provisioning a new centre). The provisioning command will create the first Tenant Admin for you.
Hand that Tenant Admin their one-time credentials. From that point on, they invite the rest of the tenant’s users.
You should never need to invite ordinary Tenant Users directly — that’s the Tenant Admin’s job.

If you are a Tenant Admin

Go to Users & Roles in the sidebar.
Click Invite user.
Enter the email and full name, and pick the role: Tenant Admin (a deputy) or Tenant User (an accountant-role).
Sukrit Nidhi shows a one-time temporary password; share it over a secure channel. The new user sets their own password and enrolls MFA on first sign-in.

A Tenant Admin cannot grant Platform Admin from the invite form. Promoting someone to Platform Admin is intentionally kept separate — it requires an existing Platform Admin to perform the promotion.

Revoking a role

Revoke from the same Users & Roles screen. The user’s existing sessions are invalidated at the next request; they see a re-authentication required page. The event is audit-logged as USER_ROLE_REVOKED.

Revoking a role does not delete the user’s account or the history of actions they took while the role was active. Audit rows are immutable.