Permission Policy implementation for Operators, Privileged Operators, Auditors, scoped assignments, permission checks, and sensitive action approvals.
Access control separates customer, merchant, support, risk, operations, finance, company-owner, and privileged checker responsibilities.
role_journey_school_2026_001If the payer needs help, support opens the same receipt and payment evidence.
After payment capture, owner hands finance to settlement and support to receipt/refund cases.
Finance reads the ledger outcome but cannot mutate money movements directly.
Support can create the case; privileged checker or risk completes controlled decisions.
Operations clears the rails evidence before finance and support rely on the record.
Company owner reads contribution margin after finance and operations prove the statement.
Privileged operator is the control point, not the owner of every business workflow.
Access control keeps each manager's business question, route, money object, and forbidden action visible before any sensitive workflow is approved.
manager_window_review_school_2026_001Can I pay without creating an account?
Sees: Amount, reference, OTP/retry/no-capture paths, receipt proofCan: Pay, authenticate, retry, claim receiptCannot: See merchant balance or approve refundscs_school_2026_001payment_screen_map_school_2026_001guest firstMerchant ownerCollection page and payment objectmgr_merchant_ownerDid my tahsil page collect the school fee?
Sees: Payer ledger, captured payment, receipt, webhook, remindersCan: Create/share collection page, send reminders, view paymentCannot: Approve restricted refund or provider settlementpay_scenario_001trace_publish_school_link_2026live readyEpara support specialistSupport casemgr_supportWhat answer is safe for the customer?
Sees: Receipt, refund eligibility, no-capture outcomes, customer intakeCan: Explain status, create support/refund intake, attach evidenceCannot: Self-approve refund or edit ledgerrefreq_school_2026_001tkt_school_parent_receipt_001assignedEpara operations analystOperations clearancemgr_operationsAre provider capture, webhook, receipt, and reconciliation clear?
Sees: Provider capture, webhook outbox, collection origin, refund/no-capture screen mapCan: Verify provider capture and escalate rail issuesCannot: Create merchant pages or approve sensitive refundsroute_live_cards_iqdop_decision_school_2026_001ops clearedEpara finance operatorReconciliation and payout releasemgr_epara_financeCan this statement become a provider payout?
Sees: Statement match, treasury handoff, reserve, payout destinationCan: Match statement and track provider-pending payoutCannot: Take customer payment or bypass maker-checker controlspo_school_2026_001recon_run_school_2026_001provider pendingEpara company ownerPlatform revenuemgr_company_ownerWhat did Epara earn, and what is only liability?
Sees: Fee revenue, provider cost, reserve liability, net contributionCan: Read margin and separate GMV from revenueCannot: Count merchant payable or reserve as revenuerev_school_2026_001evpack_revenue_boundaryrevenue recognizedPrivileged checkerApproval controlmgr_privileged_checkerIs this restricted refund allowed after maker request?
Sees: Permission check, maker-checker guard, audit trace, refund receipt pathCan: Approve controlled refund after evidence existsCannot: Create and approve the same refund aloneref_school_2026_001perm_refund_school_2026controlledCustomer, merchant, cashier, support, risk, operations, finance, and privileged operator see the same payment with different boundaries.
Guest hosted checkout
Wallet sign-in after or before checkout
Dashboard login
Scoped merchant team login
Cashier terminal scope
Scoped developer login
Role-based backoffice login
Risk desk login
Operations queue login
Finance control login
Internal owner dashboard
Elevated role with audit trail
| Actor | Audience | Entry | Login | Primary View | Status | Can | Cannot |
|---|---|---|---|---|---|---|---|
| Customer / parent payer | Public customer | Guest hosted checkout | No | /pay/school-fee | ready | Pay by card, wallet, or local method, Authenticate issuer OTP, Retry a failed attempt +1 | See merchant balance or payout, Create refunds, Open operator evidence |
| Customer with Epara Wallet | Optional customer account | Wallet sign-in after or before checkout | Optional | /wallet | optional | Use saved wallet method, Link guest receipt, Follow refund status | Bypass issuer authorization, See merchant settlement data, Approve disputes |
| Merchant owner | Merchant dashboard | Dashboard login | Yes | /payment-links/new | live ready | Create and publish collection pages, Invite merchant team members, View captured payments +1 | Approve own high-risk refunds, Change provider settlement files, Override Epara risk decisions |
| Merchant finance manager | Merchant dashboard | Scoped merchant team login | Yes | /reports/statements/set_2026_06_15_iqd | controlled | Explain gross, fee, reserve, net, Download statement evidence, Track payout readiness | Create payment links, Approve refunds, View operator-only provider files |
| Merchant cashier | Counter / POS | Cashier terminal scope | Yes for cashier app, no for payer | /terminal/scenario-payment | ready | Take card-present payment, Show or resend POS receipt, Close counter batch evidence | See merchant-wide payout approvals, Create API keys, Approve chargeback evidence |
| Merchant developer | Merchant dashboard | Scoped developer login | Yes | /developer/api-keys/cred_demo_live_01 | controlled | Integrate checkout session creation, Inspect webhook delivery, Rotate integration credentials with scope | Approve payouts, Read full customer card data, Override support or risk cases |
| Epara support specialist | Internal operator | Role-based backoffice login | Yes | /support/scenario-payment | assigned | Explain receipt and payment status, Create refund request, Open support note +1 | Self-approve restricted refund, Change ledger lines, Release merchant payout |
| Epara risk analyst | Internal operator | Risk desk login | Yes | /risk | review required | Submit evidence package, Place or release risk review, Request merchant evidence | Edit customer receipt history, Approve own privileged money movement, Rewrite provider outcome |
| Epara operations analyst | Internal operator | Operations queue login | Yes | /backoffice/reconciliation/set_2026_06_15_iqd | queued | Mark provider reference reviewed, Investigate reconciliation differences, Escalate provider incidents | Create merchant collection pages, Answer customer support as merchant, Approve sensitive policy changes |
| Epara finance operator | Internal operator | Finance control login | Yes | /payouts/po_school_2026_001 | provider pending | Track payout execution, Explain reserve and settlement timing, Apply final chargeback money outcome | Take a customer payment, Submit merchant KYB, Bypass maker-checker approval |
| Epara company owner | Executive / platform finance | Internal owner dashboard | Yes | /backoffice/revenue | revenue recognized | Read company revenue from the same payment scenario, Compare pricing to provider cost, Separate platform income from merchant payable balances | Count merchant reserve as revenue, Rewrite captured payment facts, Bypass finance and reconciliation controls |
| Privileged operator | Internal control | Elevated role with audit trail | Yes | /backoffice/approvals/refund-school-2026 | controlled | Approve restricted refund after maker request, Approve sensitive access action, Keep separation of duties visible | Create and approve the same refund as one actor, Delete financial history, Skip evidence trail |