If you are using a company policy, this article will help you learn the different roles each can have within your policy or domain. If you're an individual user, this article will not apply to you.

Each of the policy users and domain members can be assigned to roles based on what access level they need to have. The bulk of users will only be Employee users in the People section in your company policy, or Domain Members in Domain Control.

Covered in this article:

Additional articles covered elsewhere:

Policy Users

Company policy users are found and managed in Settings > Policies > [Policy Name] > People. These will include any employees on the policy, as well as their roles. 

You can assign auditors and admins here, as well as set up approvers. 

Employee

This role has no ability to change the policy settings nor invite new users to the policy. Members in this role will only see their own reports and any reports submitted to or shared with them.

  • Employees should be in this role only, in an ideal setup.
  • Approvers can be in this role or they can also be Admins or Auditors depending on the level of control they should be allowed.

Policy Auditor

In addition to everything the Employee role can do, a Policy Auditor can view, comment on, and manually export (to CSV) all reports on the policy. 

If they're the Final Approver on a report, they can also mark reports as reimbursed via Bulk Actions.

Who would be most suitable for this role?

  • Accountants that do not need to manually initiate ACH reimbursement, edit policy settings, or Take Control of reports to bypass the defined Approval Workflow
  • Bookkeepers
  • Internal or External Auditor Agents 
  • Anyone else who may need view-only permissions but should not be making policy settings changes

What can a Policy Auditor do?

  • Has visibility of all reports connected to the policy and will be able to make comments on them
  • Can export to an export template
  • Cannot edit policy settings. 
  • Can be designated as an approver
  • Can Mark as reimbursed reports they personally Final Approved via Bulk Actions
  • Create and submit their own reports

Are auditors billable users?

  • Yes, Auditors are still billable users and will still incur a billing charge if they take any report activity (creating, submitting, approving, rejecting, retracting, or exporting a report) during any given month. 
  • Viewing or commenting on a report, however, is not billable activity.

Policy Admins

This role has total control over the company policy settings. 

What can a Policy Admin do?

Other notes about this role:

  • Approvers can be Admin or Employee users depending on the level of control they should be assigned.
  • Billing Owners are Admins by default.
  • Authorized Admins are any user that is assigned by the owner or another admin to be a policy admin.

Are Admins billable users?

  • Yes, Admins are billable users and will still incur a billing charge if they take any report activity (creating, submitting, approving, rejecting, retracting, or exporting a report) during any given month. 
  • Viewing or commenting on a report, however, is not billable activity.

Domain Users

Domain Users are found and managed in Settings > Domain Control > [Domain Name] > Domain Members

Domain Members

A Domain Member is anyone with an Expensify account using an email domain that is under Domain Control

  • If you have Domain Control enabled for your domain, an account will be created automatically in the Domain Members list. You do not need to invite users through this page. 
  • These members can be broken down into Groups. The most popular Groups are simply Employees and Managers. However, you can have many more groups with any title. The different groups allow you to designate different domain rules to each group type.
  • Employee Group is the group you want to assign your employees to. This group by default has no access to edit domain control settings. This group can be restricted to very specific policy access so they cannot accidentally submit reports on the incorrect policy.
  • Manager Group is the group you can put report approvers into if they need to be governed by different domain rules than the Employee Group. This group can be restricted or not be restricted to specific policy access.

Domain Admins

This role has total control over the domain settings. Users in this role can change member group names and rules, connect company cards/add or change company card feeds, add or delete domain members and other admins, run analytic reports, and enable or disable SAML.

  • A Domain Admin can add or remove other Domain Admins in Settings > Domain Control > [Domain Name] > Domain Admins.
  • The Domain Admin is the only role that can delete the domain. The domain will not delete until there is only one Domain Admin left assigned.

For a live overview of the Policy Admin role, policy management and administration, register for our free Admin Onboarding Webinar!

Still looking for answers? Search our Community for more content on this topic!

Did this answer your question?