Permissions & roles
Access in the Hub is decided in three layers: the bank's edition sets what's available, the role sets what a person can do, and the system always explains why something is locked rather than just hiding it. No dead ends, no mystery.
The model
Three gates, in order. A capability is granted only when all three allow it.
Edition
The bank's subscription — Core, plus optional Mortgage, Trust, Wealth. Sets which programs exist at all.
Role
What a person can do within what the edition offers — view, edit, file, administer.
Entitlement
The resolved answer for this person, on this screen — granted, read-only, or locked with a reason.
Entitlement matrix
Capabilities by role, for the Core edition.
| Capability | Bank Admin | BSA Officer | Analyst | Read-only |
|---|---|---|---|---|
| View programs & obligations | ||||
| Run workflows | ||||
| File CTR / SAR | ||||
| Edit policies & evidence | ||||
| Manage members & roles | ||||
| Export the audit trail |
Roles
Full control for the institution, including members, roles, and edition settings. Usually the Compliance Manager.
Files and decisions across programs — the designated compliance authority. Cannot manage other members.
Does the day-to-day work — workflows, evidence, drafting — but filing and member management are reserved.
Auditors, examiners, board members. Sees everything relevant; changes nothing.
Locked, with a reason
Two ways access is withheld — and both explain themselves. We never silently hide a feature.
Filing is reserved for the BSA Officer
You're signed in as an Analyst. You can prepare this CTR; Dana Reyes can file it.