Guide · Roles & permissions
The 22 permission keys that gate every action in the bridge.
RBAC in MyInvois Bridge is granular by design — important for accounting firms running many clients through one account, but useful even for a single-company team that wants junior staff scoped to creation without submission rights. This guide lists every key, what it gates, and the role patterns most teams settle into.
Invoice lifecycle keys.
- invoices.view — read access to the invoice list and detail panel.
- invoices.create — create a new draft invoice (manual or via API).
- invoices.update — edit an existing draft invoice.
- invoices.submit — submit a draft to LHDN (the moment of compliance).
- invoices.cancel — cancel an approved invoice within the 72h LHDN window.
- invoices.downloadPdf — download the rendered invoice PDF with the LHDN QR.
CSV upload + management.
- documents.view — list and inspect uploaded CSV batches.
- documents.upload — upload a new CSV file.
- documents.delete — remove an uploaded CSV (does not undo submissions).
Customers + products.
- customers.view / customers.create / customers.update — counterparty catalog.
- products.view / products.create / products.update — product / service catalog used to pre-fill line items.
Company, roles, and integrations.
- company.view / company.update / company.logo.update — workspace settings.
- integrations.view / integrations.manage — M2M credentials minting and revocation.
- roles.assignPermissions — the meta-permission (only assign to trusted admins).
What sits outside RBAC entirely.
Two surfaces are owner-only by design — they're never grantable via RBAC, regardless of the role you build:
- Activity audit log — readable by company owners only. See the audit-log guide for the full action-type list.
- Owner-only billing + plan changes (subject to the Partner tier's branded-dashboard exceptions).
Last updated · May 2026
Independent reference. MyInvois is operated by LHDN. We are not affiliated with LHDN.