Permissions

On this tab, you can set permissions for a new or selected user that affect all areas of the application: Files, EDS, Payments, Account Statements, AWV Notifications, Banks and Accounts. If a permission is revoked, the associated function or menu item is not available for the user. Assign the permissions according to the different tasks. For example, payment recorders need access to payment entry, EDS signatories must be allowed to sign orders.

The effects at a glance

User is authorized to:	Applies to:	Combine with:
Fetch files	Orders: Retrieved files, Notifications	—
Send files	Orders: Sent files, Notifications	—
View and send files from watched directories	Orders: Files to send	—
Sign orders in the EDS	Orders: EDS overview, Signed EDS orders, Cancelled EDS orders	—
Record payments	Payments: Open payments, Signed payments, Periodic payments, Payment templates, Originators, Recipients, SEPA mandates	—
Salary payments	Orders: EDS overview, Signed EDS orders, Cancelled EDS orders, Sent files Payments: Open payments, Signed payments, Periodic payments, Payment templates	Record payments, Sign orders in the EDS
Confirm recipients in four-eyes principle	Payments: Recipients, Action Confirm/Discard recipient	Record payments, System settings: Payment recording –Recipient recording allowed in four-eyes principle
Record AWV notifications	AWV notifications: AWV report data, AWV participants	System settings: AWV notifications
View banks and accounts	Settings: Banks, Accounts	Edit bank settings
Edit bank settings	Settings: Banks	View banks and accounts (not required for administrators/managers)
Synchronize with Android™ or iPhone^® app	Settings: Synchronize with Android™ or iPhone^® app	App installation
View account statements	Account statements: Account overview, Transactions, Batched transactions, Balances, Balance lists, Conversions, Automatic exports, Exported files, PDF dokuments	—
Delete account statements and PDF statements	Deletion functions within the account statements	View account statements

View and send files from watched directories

This permission is only relevant if there are watched directories. The directories are configured by an administrator, files are stored there from outside. They can be found under the menu item Orders – Files to send. Users need this permission to sign and send files there. The general permissions to sign orders in the EDS and send files are not required for this.

Salary payments

SEPA payments must have one of the values SALA, PENS or BONU in the Payment category or Payment type field for BL Banking Web to recognize a salary payment and apply the permissions. Only users with full permission can select the specified payment categories or payment types in payment recording.

The permissions also apply to salary recalls.

Recording salary payments as open payments, payment templates and periodic payments is only possible with full permission, as is importing salary payments from external files. Signing in the EDS is permitted with all permission levels, as is sending external files directly to the bank.

The differences in the restrictions relate to the visibility of amounts and details (amounts, recipients, accounts, purpose).

If the visibility of amounts is disabled, the user sees individual payments with an empty amount field, totals are displayed, e.g. in the accompanying ticket.
If the visibility of all details is disabled, the user will not see any salary payments in the overviews of the payments area. In the EDS overview and for sent files, a note about the restricted permission is displayed instead of the payment details.
If the visibility is generally disabled, the user will not see any details and will also not see any salary payments in the overview for sent files.

Note: Note that with limited permission, only the display in the program is suppressed. All details, including amounts, are available in sent and received files.

In order to secure salary payments against unauthorized inspection and to prevent conclusions being drawn from totals to the amounts of individual payments, further measures are advisable in addition to the permissions.

Do not send salary payments individually, but several per account.
Keep the checkbox Display as single booking in the account statement switched off in payment recording.
Encrypt local data storage to prevent direct access to the payment files, see the system settings under General.
Alternatively: Use a separate installation of BL Banking Web for salary payments.

You can achieve more security by making arrangements with the bank, e.g. that salary payments are not displayed in the EDS if users do not have permission.

Confirm recipients in four-eyes principle

If the recipient recording in the four-eyes principle is set in the system settings, only users permitted here can confirm newly created or edited recipients according to the four-eyes principle; all users can record.

Synchronize with app

This permission is relevant for two scenarios:

Import of users from other installations or programs
Use of the smartphone apps (BL Banking for Android™ or BL Banking for iPhone^® app)

Permitted users can synchronize the data of selected banks. Apps that have been set up can continue to be used even if this permission is missing.

Admin user is authorized to create users and to modify or delete other admin users

This and the following permission can only be granted to administrators. The two checkboxes are therefore only available if the checkbox User with administrator permissions is enabled on the tab General. Editing these permissions is reserved for a Super-Admin. Information on the Administrator and Super-Admin roles is given in the section Administrative rights.

Creating new users and modifying and deleting other administrators are essential administrative tasks. At least one administrator should have this permission. It is possible to revoke one's own permission irreversibly. Managers of tenants can always create users for their tenants, but never modify or delete administrators.

Admin user is authorized to create and delete tenants

An administrator with this permission can create and delete tenants. Managers of tenants cannot do this. If you operate BL Banking Web with several tenants, at least one administrator should have this permission.

Figure: Setting the permissions for a user