Skip to content
Guide · Roles & permissions

The 22 permission keys that gate every action in the bridge.

Note: granular per-role permissions are on the roadmap — not live yet. Multi-user and multi-company access are live today. This guide previews the planned permission model: every key, what it gates, and the role patterns most teams will settle into.

Invoices

Invoice lifecycle keys.

  • invoices.view: read access to the invoice list and detail panel.
  • invoices.create: create a new draft invoice (manual or via API).
  • invoices.update: edit an existing draft invoice.
  • invoices.submit: submit a draft to LHDN (the moment of compliance).
  • invoices.cancel: cancel an approved invoice within the 72h LHDN window.
  • invoices.downloadPdf: download the rendered invoice PDF with the LHDN QR.
Documents

CSV upload + management.

  • documents.view: list and inspect uploaded CSV batches.
  • documents.upload: upload a new CSV file.
  • documents.delete: remove an uploaded CSV (does not undo submissions).
Catalog

Customers + products.

  • customers.view / customers.create / customers.update: counterparty catalog.
  • products.view / products.create / products.update: product / service catalog used to pre-fill line items.
Workspace

Company, roles, and integrations.

  • company.view / company.update / company.logo.update: workspace settings.
  • integrations.view / integrations.manage: M2M credentials minting and revocation.
  • roles.assignPermissions: the meta-permission (only assign to trusted admins).
Owner-only

What sits outside RBAC entirely.

Two surfaces are owner-only by design; they're never grantable via RBAC, regardless of the role you build:

  • Activity audit log: readable by company owners only. See the audit-log guide for the full action-type list.
  • Owner-only billing + plan changes (subject to the Partner tier's branded-dashboard exceptions).

Last updated · July 2026

Independent reference. MyInvois is operated by LHDN. We are not affiliated with LHDN.