Monite account structure

Learn about the different layers of security access to the data stored within Monite.

Overview

The Monite API uses different layers to secure access to any stored data within the platform:

Monite API supplies the following access levels:

Partner

A partner is a company that implements Monite API in its app or platform. This is a mandatory layer.

The development teams of the partners connect to Monite API with admin-level access tokens. These admin tokens enable partners to create and configure entities and access all resources of all entities they develop software for.

Entity

A customer of a partner โ€“ an entity โ€“ is either an organization or an individual. Each partner develops for one or more entities. With the ID of an entity is possible to obtain root access to all resources related to this specific entity only.

For example, Beispiel GmbH and Example Inc are both customers of NeobankA. Tokens issued for Beispiel GmbH, only give access to the resources associated with Beispiel GmbH. Access to Example Inc. is not possible.

๐Ÿ“˜

Monite does not check access permissions on this mandatory layer, this is the responsibility of the Partner.

Entity user

The employees who work for an entity - this optional entity user access layer is for partners who want to use Monite security for rapid development rather than build their own custom access control logic.

Using Monite API, partners create customizable entity-level roles and permissions. Monite automatically monitors access policies for each API call.

For example, Maria is an accountant at Beispiel GmbH. Maria's access token gives access to resources within Beispiel GmbH according to Maria's permissions.

Connect entities

Partners first map each customer as an entity into Monite before they can execute any business operations. This prevents any data incidents between entities and ensures that each entity can access only its own data.

Each entity registers its operations and stores financial documents such as payables or bank transactions in an interface developed by the Partner. These documents are stored and processed by Monite in a dedicated, secure space.

Connect entity users

Partners may need to implement role-based account control to attend the needs of entities and entity users. The main purposes of user roles are:

  • Restrict access to sensitive data and actions: Secure different levels of company information from different roles or prevent specific roles from completing tasks such as executing payments in the name of the entity.
  • Delegate tasks among coworkers: These tasks automatically respect information and role security.
  • Monitor system changes: Check who added information or changed entity data in Monite.

The best practice is to use the following user roles for each entity:

  • Administrator: Superuser for financial processes. Administrators are also involved in user management.
  • Power user: Superuser for financial processes.
  • Sender: Submits payables to Monite.
  • Approver: Sends payables and participants in approval policies.
  • Accountants: Reconciles transactions with payables and exports files for accounting.

The following table describes the user rights that partners can parameterize and the recommended access level for each role:

Access rightAdministratorPower-userSenderApproverAccountant
User managementView, modify, add, or delete any user roles or user accountsNo rightsNo rightsNo rightsNo rights
Payable managementView, modify, add, or delete any payable in any status or approval stepView, modify, add, or delete any payable in any status or approval stepAdd payables to Monite and follow their lifecycle as observers. A sender can only follow the lifecycle. They cannot update a payable once it is uploaded to MoniteAdd payables to Monite, then follow their lifecycle as observers. Approvers take part in approval policies and approve payablesNo rights
Comment payablesView or add any comment on any payableView or add any comment on any payableCannot comment on payables after validationComment on payables after validation in the approval policies they were selected forNo rights
Create a To Do taskView, modify, add, or delete any task for payables in any statusView, modify, add, or delete any task for payables in any statusNo rightsNo rightsNo rights
Mute a To Do taskMute any task for any payableMute any task for any payableNo rightsMute their own tasksNo rights
TransactionsView, or execute any payment operationView, or execute any payment operationNo rightsNo rightsNo rights
Reconcile payablesLink any file to any transactionLink any file to any transactionNo rightsNo rightsLink any file to any transaction
Export payablesExport any file from the systemExport any file from the systemNo rightsNo rightsExport any file from the system

Monite security models

To seamlessly integrate and map user roles and rights into your app or platform, partners can use one of these approaches:

  • (Recommended) Monite security: Access to Monite API is controlled using ACLs (Access Control Lists) and access tokens. Entities map all their entity users into Monite and configure ACL rights for these users in Monite. Partners issue entity access tokens for further API calls. Partners apply ACL access control when using user-related entity tokens. The advantages are:

    • Lowest effort to integrate the system and fastest time to market.
    • ACL is handled by Monite.
    • Monite knows everything about the entity users and roles implemented by the Partner.
  • External security: Partners handle security externally to Monite and make all calls using the entity-level token. As entity-level tokens give root access to entity data, the partner does not supply any information about user logins and user access rights. The disadvantages are:

    • Higher implementation complexity and greater risk of data incidents.
    • Partners must fill optional API fields and store user IDs used in Monite to map actions to a specific user.
  • Hybrid security: Monite keeps a record of the ID and login data for entity users. However, the partner controls ACL externally. User information is stored by Monite for reference only. Hybrid security provides good compatibility with the partnerโ€™s system but lacks a clear advantage compared to Monite or External security.

To view and update user rights, and parameterize the system according to your needs, use the following endpoints:

  • /v1/available_permissions: Retrieves all permissions defined in Monite.
  • /v1/auth/token: Generates a partner-level token or an entity user token.
  • /v1/roles: Defines roles for entity users.
  • /v1/entity_users: Creates entity users. Users are connected to a role.

Did this page help you?