Skip to content

Access control and audit

Every purchase record is controlled, isolated and logged, so your procurement stays compliant and accountable.

Purchase actions are deny-by-default behind module permissions, view, create, edit, cancel, approve, receipt and return. If you lack the permission for an action, you’re refused. Beyond the module permission, in-action rules apply too, for example, you can’t approve your own PO, and where a distinct approver is required, that’s enforced.

Every purchase record, orders, goods receipts, material requests, returns and vendor invoices, is scoped to your organisation. A user in one organisation can never read or write another’s purchase records.

PO state changes and approval decisions (approve/reject, with comment, actor and time) write append-only audit entries. These entries can’t be edited or deleted, and are visible only within your organisation, giving you a complete, tamper-evident record for compliance.