Contact Us

User Management: Role-Based Access Controls for Enterprise Banking

Access Control Benchmarks

TD Business Central user management provides six predefined roles, unlimited custom roles, granular permission matrices across 24 module-level actions, temporary delegation with automatic expiry, IP-based access restrictions and immutable audit logs retained for seven years. Supports organizations with up to 500 concurrent users across multiple business units. Aligned with OSFI B-13 access control requirements.

Who can initiate a $200,000 wire transfer? Who can only view account balances? Who can approve payroll batches but not create them? These are not hypothetical questions. They are operational security decisions that determine whether your organization maintains control over its financial operations or leaves itself exposed to internal fraud and accidental errors.

TD Business Central user management answers every one of these questions through a role-based access control framework. Each user is assigned a role. Each role defines exactly which actions the user can perform, which accounts they can access and which transaction thresholds apply. No ambiguity.

TD Business Central user management dashboard showing role assignment matrix with permission toggles across payment and reporting modules

Predefined Roles and Custom Role Creation

Start with six battle-tested roles or build your own from scratch. Every organization's access control needs are different.

Six Predefined Roles

TD Business Central ships with six roles that cover the most common organizational structures. Super Administrator has full access to every module, including user management and audit log review. Payment Initiator can create payment transactions but cannot approve them — enforcing the dual-authorization principle. Payment Approver can authorize transactions initiated by others but cannot create their own. Report Viewer can access all reporting features and export data but has no payment capabilities. Account Viewer has read-only access to balances and transaction history. Auditor has read-only access to all modules plus the audit trail.

These predefined roles are locked templates — they cannot be modified. This ensures a baseline level of separation of duties that meets regulatory expectations. If a predefined role is close to what you need but not exact, clone it into a custom role and adjust the permissions.

Custom Roles

Create custom roles by navigating to User Management, clicking Create New Role and toggling permissions across the 24 available module-level actions. Name each role descriptively: "AP Manager - Eastern Region," "Treasury Analyst - Read Only," "Payroll Admin - Weekly Batch." Clear naming reduces confusion when assigning roles to new employees.

Permission Matrix Architecture

The permission matrix covers four primary domains: Payments (initiate, approve, view, cancel, manage templates), Reporting (create reports, export data, schedule delivery, share templates, manage report access), Accounts (view balances, view transactions, manage alerts, manage account preferences) and Administration (create users, assign roles, manage delegations, view audit logs, configure IP restrictions, manage MFA policies).

Each permission is a binary toggle. A role either has the permission or it does not. There are no partial access levels within a single permission — this simplicity eliminates the ambiguity that creates security gaps in more complex access models.

The OSFI B-13 Technology and Cyber Risk Management guideline requires federally regulated financial institutions to implement access controls based on the principle of least privilege. TD Business Central's role-based framework makes least-privilege implementation straightforward: assign each user only the permissions required for their job function, nothing more.

Research from the Government of Canada cyber security centre indicates that over 30% of financial fraud incidents involve insider access. Proper role-based controls are a direct countermeasure.

Predefined Roles and Permission Levels

The six predefined roles and their access levels across the four permission domains in TD Business Central.

Role Payments Reporting Accounts Administration Typical Assignment
Super Administrator Full Full Full Full CFO, VP Finance
Payment Initiator Initiate, View View, Export View None AP Clerk, Treasury Analyst
Payment Approver Approve, View View, Export View None Controller, AP Manager
Report Viewer None Full View None Financial Analyst, Auditor
Account Viewer None View View None Branch Manager, Department Head
Auditor View Full View Audit Logs Only External Auditor, Compliance Officer

User Provisioning, Delegation and Audit Trails

Onboard new users in minutes, delegate authority during absences and maintain a complete record of every access control change.

Streamlined User Provisioning

Adding a new user takes three steps. Enter their name and email address. Assign a role (predefined or custom). Click Create. The system sends an enrollment email with a secure registration link. The new user sets their password, configures MFA and gains access according to their assigned role. The entire process, from administrator initiation to user first login, takes under ten minutes.

For organizations onboarding multiple users — common during corporate restructures or seasonal staff increases — TD Business Central supports bulk provisioning via CSV upload. Prepare a file with name, email and role columns, upload it through User Management, and the system processes all entries simultaneously. Each new user receives their enrollment email independently.

Temporary Delegation

When a payment approver takes vacation, their approval queue does not stop. TD Business Central delegation lets administrators or the approver themselves designate a temporary delegate. Define the delegation scope (all approval types or specific ones), set start and end dates, and the delegate receives approval requests for the defined period. When the end date passes, delegation revokes automatically. No manual cleanup required.

Immutable Audit Trail

Every user management action generates an immutable audit record. User creation, role changes, permission modifications, login attempts (successful and failed), password resets, delegation events, account lockouts and deactivations — all logged with the timestamp, the acting administrator, the affected user, the specific change and the administrator's IP address.

These records cannot be edited, overwritten or deleted by any user, including Super Administrators. The audit trail is retained for seven years in compliance with OSFI B-13 requirements for access control event logging.

External auditors can be granted the Auditor role, which provides read-only access to the audit trail without exposing payment initiation or approval capabilities. This satisfies the common audit requirement for independent access to security logs without creating privileged access for non-employees.

Deactivation and Offboarding

When an employee leaves, deactivation is one click. The user's session terminates immediately, credentials are revoked and all future login attempts are blocked. The deactivated profile and its complete activity history remain in the system for audit and compliance purposes. If the user returns, reactivation restores the profile without requiring a new enrollment. Pending approvals assigned to the deactivated user are automatically rerouted to the next eligible approver in the chain.

Related Reporting Services

User management underpins access control across the entire TD Business Central reporting suite. These related services depend on the roles and permissions you define here.

Custom Reports

Report template sharing permissions are governed by user roles defined in user management. Control who can create, edit, share and schedule custom reports through the same role-based framework.

Transaction Reporting

Restrict report access by role. Payment Initiators can view their own transaction reports while Report Viewers see all accounts. Transaction reporting respects the account-level permissions configured in user management.

Data Export

Control who can export data and in which formats. Sensitive BAI2 and MT940 exports can be restricted to specific roles while CSV downloads remain available to broader user groups through data export permissions.

← Back to TD Business Central Home

User Management: Frequently Asked Questions

Navigate to User Management then Roles, and click Create New Role. Name the role, then use the permission matrix to toggle access for each module: payments (initiate, approve, view), reporting (create, export, schedule), accounts (view balances, view transactions, manage alerts) and administration (manage users, manage roles, view audit logs). Save the role and assign it to users individually or through user groups. Custom roles can be cloned from existing roles to speed up configuration.

Yes. TD Business Central supports temporary delegation of approval authority. Navigate to User Management then Delegations, select the user receiving the delegation, define the scope (all approvals or specific payment types) and set start and end dates. The delegate receives approval requests during the defined period while the original approver retains the ability to approve as well. All delegated approvals are logged with both the delegate's identity and the original authority holder's identity.

The audit trail records every user management action: user creation, role assignment, permission changes, login attempts (successful and failed), password resets, delegation events, account lockouts and deactivations. Each entry includes the timestamp, the administrator who performed the action, the affected user, the specific change made and the IP address of the administrator's session. Audit records are retained for seven years and cannot be modified or deleted.

Open User Management, locate the user and click Deactivate. Deactivation is immediate: the user's session is terminated, their credentials are revoked and their access is blocked. Deactivated users cannot log in or be assigned new transactions. Their historical activity records remain in the system for audit purposes. If the user returns, an administrator can reactivate the account and reassign roles without creating a new profile.

Yes. Administrators can define allowed IP addresses or IP ranges for individual users or user groups. Login attempts from non-whitelisted IP addresses are blocked automatically and logged as security events. This feature is particularly useful for restricting high-privilege roles like payment approvers to corporate network addresses only, preventing approval actions from unauthorized locations.