Guide · Roles & permissions
The 22 permission keys that gate every action in the bridge.
Note: granular per-role permissions are on the roadmap — not live yet. Multi-user and multi-company access are live today. This guide previews the planned permission model: every key, what it gates, and the role patterns most teams will settle into.
Invoice lifecycle keys.
- invoices.view: read access to the invoice list and detail panel.
- invoices.create: create a new draft invoice (manual or via API).
- invoices.update: edit an existing draft invoice.
- invoices.submit: submit a draft to LHDN (the moment of compliance).
- invoices.cancel: cancel an approved invoice within the 72h LHDN window.
- invoices.downloadPdf: download the rendered invoice PDF with the LHDN QR.
CSV upload + management.
- documents.view: list and inspect uploaded CSV batches.
- documents.upload: upload a new CSV file.
- documents.delete: remove an uploaded CSV (does not undo submissions).
Customers + products.
- customers.view / customers.create / customers.update: counterparty catalog.
- products.view / products.create / products.update: product / service catalog used to pre-fill line items.
Company, roles, and integrations.
- company.view / company.update / company.logo.update: workspace settings.
- integrations.view / integrations.manage: M2M credentials minting and revocation.
- roles.assignPermissions: the meta-permission (only assign to trusted admins).
What sits outside RBAC entirely.
Two surfaces are owner-only by design; they're never grantable via RBAC, regardless of the role you build:
- Activity audit log: readable by company owners only. See the audit-log guide for the full action-type list.
- Owner-only billing + plan changes (subject to the Partner tier's branded-dashboard exceptions).
Last updated · July 2026
Independent reference. MyInvois is operated by LHDN. We are not affiliated with LHDN.