← systeric.com Interwise / Docs Open App →

Roles & Access

Every user in Interwise has exactly one role, and that role determines two things: what they can see (their scope — platform, tenant, company, or just themselves) and what they can do within that scope. This page documents the real role model end to end: the six roles, how they nest, and the tenant isolation that keeps one customer’s payroll data completely invisible to another.


The Role Taxonomy

Roles form a strict hierarchy. Each one below SUPERADMIN operates inside a progressively narrower scope than the one above it.

  • SUPERADMIN — the platform owner. Operates above all tenants: it has no organization membership and no active company, so it is not subject to tenant data isolation the way every other role is. It manages tenants, invites, and commercial contracts. Critically, SUPERADMIN is confined to platform administration — it must never touch payroll, employees, or any tenant’s operational data. It is the only cross-tenant role in the system, and it is deliberately walled off from everything a SUPERADMIN doesn’t need to see.
  • TENANT_ADMIN — owns one tenant (one customer organization). Manages all of that tenant’s companies, users, and settings, and is the one who creates the tenant’s first company after onboarding. Invites the rest of the tenant’s users.
  • COMPANY_ADMIN — scoped to one company within a tenant. Full admin powers for that company, including running payroll.
  • PAYROLL_ADMIN — scoped to one company. Runs payroll operations for that company without the broader admin powers COMPANY_ADMIN has.
  • VIEWER — scoped to one company. Read-only: can see company data (reports, payroll history, employee records) but cannot change anything.
  • EMPLOYEE — self-service only. Can see their own payslips, attendance, and leave through /me/* — nothing about any other employee, and nothing at the company or tenant level.

A tenant can be a single company, or a holding group running several legal entities — TENANT_ADMIN is the one role that spans all of them, while COMPANY_ADMIN, PAYROLL_ADMIN, VIEWER, and EMPLOYEE are each scoped to a single company inside that tenant.


Hierarchy & Scope

The pyramid narrows as scope narrows: one SUPERADMIN oversees the whole platform, while every company has many EMPLOYEE users at the base.

ROLE SCOPE SUPERADMIN Platform — all tenants TENANT_ADMIN Tenant — all companies COMPANY_ADMIN One company PAYROLL_ADMIN One company — payroll VIEWER One company — read only EMPLOYEE Self — /me only

The dashed line between SUPERADMIN and everyone else is not decoration — it marks a real architectural boundary. SUPERADMIN has no organization membership, so it never crosses down into tenant-scoped data, and every role below it never crosses up into platform administration.


Tenant Isolation

Interwise is multi-tenant: many customer organizations share one platform, and their data must never mix. This is enforced at the database level, not just in application code — every tenant-scoped table has row-level security (RLS) that restricts each query to the current tenant’s rows. A TENANT_ADMIN at one company can never see, by any query path, another tenant’s employees, payroll runs, or settings.

SUPERADMIN is the deliberate exception, and it cuts the other way: it is the only role that can act across tenants, and it does so through a completely separate, explicitly-guarded surface reserved for platform operations — provisioning tenants, managing invites, and administering commercial contracts. In exchange for that cross-tenant reach, SUPERADMIN is walled off from the operational side entirely: it cannot open a payroll run, view an employee record, or touch anything a TENANT_ADMIN, COMPANY_ADMIN, or EMPLOYEE would normally see. Platform access and operational access never overlap in the same role.

Within a tenant, scoping narrows one more time from tenant to company: TENANT_ADMIN sees every company under its tenant, while COMPANY_ADMIN, PAYROLL_ADMIN, VIEWER, and EMPLOYEE are each pinned to one company at a time. This is what lets a holding group run several legal entities from one tenant while still giving each company’s local team a scope limited to their own company.


Capability Table

RoleScopeCapabilities
SUPERADMINPlatform (cross-tenant)Provision and manage tenants, invites, and commercial contracts. No payroll or employee access.
TENANT_ADMINTenant (all companies)Manage companies, users, and tenant-wide settings; create the tenant’s first company; invite users.
COMPANY_ADMINOne companyFull admin powers for the company, including running payroll.
PAYROLL_ADMINOne companyRun and manage payroll for the company.
VIEWEROne companyRead-only access to company data — no changes.
EMPLOYEESelf (/me/*)View own payslips, attendance, and leave balance.

Where to Go Next

  • Overview — what Interwise is, the modules it’s built from, and the core loop from hiring a candidate to a compliant payslip.

More guides on payroll configuration and company setup are on the way.