Skip to content
  • There are no suggestions because the search field is empty.

User Roles & Permissions in Light

Learn how to manage user permissions in Light — assign roles, configure approval groups, enable MFA, and enforce secure financial controls.

Light uses role-based permissions combined with user groups to control access, approvals, and financial workflows across Accounts Payable (AP), Accounts Receivable (AR), reimbursements, and administration.

  • Roles define what a user can do.

  • User groups define how approvals, workflows, and payment controls are enforced.

Together, they ensure strong segregation of duties and secure payment handling.

Available User Roles

Light provides the following access roles. Users may be assigned one or more roles depending on their responsibilities.

  • Reimbursement – Submit and track expense reimbursements

  • Cardholder – View and manage company card transactions

  • Controller – Oversight of accounting flows, validations, and reporting

  • Admin – Full access, including system configuration and integrations

  • Vendor Management – Maintain vendor master data

  • Invoice Approver – Approve invoices

  • AP Preparation – Prepare invoices for approval and payment runs

  • AP Clerk – Process AP invoices and manage outgoing payments

  • AR Clerk – Manage Accounts Receivable, customer invoicing, and collections

💡 Tip: Combine roles to match real-world responsibilities.
For example, a Finance Manager may require Controller + Invoice Approver access.

Multi-Factor Authentication (MFA)

Light supports Multi-Factor Authentication (MFA) for enhanced login security. When enabled, users must verify access using a second factor (for example, an authenticator app).

💡 Best practice:
Require MFA for Admin, Controller, and any user involved in approvals or releasing payments.

Configuring User Permissions

To configure permissions for a user:

  1. Go to Records → Users

  2. Select the user you want to configure

  3. Assign one or more roles from the list above

  4. Save changes

Permissions apply immediately after saving.

User Groups in Workflows and Payment Runs

While roles control access, user groups are essential for workflow orchestration and approval enforcement.

User groups are used in:

  • Approval Matrices -> Define which group(s) must approve invoices, reimbursements, or payment runs.

  • Workflows -> Route approvals in sequence, for example:

  • Employee → Manager group → Finance group

  • Payment Runs -> Control who must authorize before a payment file is released to the bank.
  • Guardrails -> Enforce compliance rules such as: “At least one member of the Controller group must approve a payment run before release.”

⚠️ Important:
Adding a user to a group does not grant permissions.
Groups only affect workflow participation, approval routing, and payment run guardrails.

 

Internal Controls

Light supports robust internal controls to protect payments and financial data


  1. Vendor Master Data
    1. Creation of new vendors and changes to vendor payment details can be routed for approval before activation.
    2. Typically assigned to the Vendor Management role.
    3. Approval can be required from a Controller or other designated approval group.
  2. Payment Runs

    1. Before a payment file is released, approval guardrails ensure required groups have approved.

    2. Light enforces multi-step approvals, preventing a single user from both preparing and releasing the same payment run.

  3. Reimbursements -> Employee-submitted reimbursements can be:

    1. Reviewed for policy compliance

    2. Approved by a manager group

    3. Reviewed by finance for final approval

User groups define the approval chain, while roles ensure submitters and approvers remain separate.

💡 Best practice:
Align Light’s internal controls with your company’s financial policies to meet audit, compliance, and security requirements.