Each of the policy users and domain members can be assigned to roles based on what access level they need to have. The bulk of users will only be Employee users in the People section of the Policy Editor or Domain Members in Domain Control.

Covered in this article:

If you're looking for information on how to add a Copilot or a vacation delegate, hop on over to these articles:
Add a Copilot (formerly "wingman")
Add a Vacation Delegate

Policy Users

Policy Users are found and managed in Admin > [Policy Name] > People. These will include any employees on the policy, as well as their roles. You can assign auditors and administrators here, as well as set up approvers. 


This role has no ability to change the policy settings nor invite new users to the policy. Members in this role will only see their own reports and any reports submitted to or shared with them.

  • Employees should be in this role only, in an ideal setup.
  • Approvers can be in this role or they can also be Administrators depending on the level of control they should be allowed.

Policy Auditor

This role is a view and comment only role. This role has visibility of all reports connected to the policy and will be able to make comments on them. This role cannot edit policy settings. A user cannot be set as an Auditor and also be assigned any other type of role at the same time.

  • Accountants that have no part in the reimbursement process are great candidates for this role.
  • Bookkeepers can also qualify for this role.
  • Internal or External Auditor Agents are the best candidates for this role.

Policy Administrator

This role has total control over the policy settings. Users in this role can change categories, tags, connections, etc., as well as invite people to the policy. As an Administrator, the user will see all reports of all employees on the policy whether they are open, processing, approved, or reimbursed. An Administrator can also reimburse reports if they have access to the company ACH withdrawal account.

  • Approvers can be Administrator or Employee users depending on the level of control they should be assigned.
  • Policy Owners are Administrators by default.
  • Authorized Administrators are any user that is assigned by the owner or another admin to be a policy admin.

Domain Users

Domain Users are found and managed in Admin > Domain Control > [Domain Name] > Domain Members

Domain Members

This role is literally anyone invited to Expensify through Domain Control.

  • These members can be broken down into groups. The most popular groups are simply Employees and Managers. However, you can have many more groups with any title. The different groups allow you to designate different domain rules to each group type.
  • Employee Group is the group you want to assign your employees to. This group by default has no access to edit domain control settings. This group can be restricted to very specific policy access so they cannot accidentally submit reports on the incorrect policy.
  • Manager Group is the group you can put report approvers into if they need to be governed by different domain rules than the Employee Group. This group can be restricted or not be restricted to specific policy access.
  • Look over our article on domain members for more information.

Domain Administrators

This role has total control over the domain settings. Users in this role can change member group names and rules, add or change company card feeds, add or delete domain members and other admins, run analytic reports, and enable or disable SAML.

  • The Domain Owner is the only role that can delete the domain. This role is by default a domain admin.
  • Authorized domain admins are users appointed by a domain owner or admin. These users cannot delete the domain owner, nor delete the domain.

Still looking for answers? Search our Community for more content on this topic!

Did this answer your question?