How Catchpole’s Security Matrix Gives You Fine-Grained Access Control

When you’re running a collections operation, not everyone needs access to everything. Your collectors don’t need to manage campaigns. Your clients don’t need to delete claims. And nobody except the account owner should be able to rename the organization.

Most platforms handle this with a few predefined roles — admin, user, read-only — and call it a day. That works until it doesn’t. The moment you need a collector who can export reports but can’t edit claims, or a manager who can run campaigns but can’t invite users, you’re stuck.

Catchpole’s security matrix was designed to eliminate that problem.

How It Works

The security matrix operates on three layers, each with increasing specificity:

1. Role-Based Permissions (Baseline)

Every user starts with a role: owner, administrator, manager, collector, client, or customer. Each role comes with a default set of permissions that make sense for that function.

• Owner: Full access to everything. Cannot be restricted.
• Administrator: Everything except organization-level destructive actions like renaming or deleting the organization.
• Manager: User management, claim management, campaigns, and reporting.
• Collector: Working claims, viewing reports, and using the collector dashboard.
• Client: Dashboard and reporting access for external stakeholders.
• Customer: Dashboard access only, for the self-service portal.

These defaults cover most use cases out of the box. But when they don’t, you go deeper.

2. User Groups (Team-Level Control)

User groups let you create permission sets for teams or functions that cut across roles. You might create groups like “Senior Collectors” with export permissions, or “Campaign Team” with campaign management access.

Groups add permissions on top of whatever role a user already has. A collector in the “Senior Collectors” group gets their standard collector permissions plus whatever the group grants.

This is particularly useful when your organization structure doesn’t map cleanly to a single role hierarchy. You can create as many groups as you need without touching individual user settings.

3. Individual User Overrides (Per-Person Control)

When you need to grant or deny a specific permission for a specific person, individual user overrides give you that precision. These take the highest priority — they override both role defaults and group permissions.

For example, you might have a collector who’s been trained to handle sensitive compliance documentation. You can grant them access_compliance without changing their role or creating a group just for one person.

The priority order is clear: individual overrides beat group permissions, which beat role defaults. The owner role is the one exception — it always has full access and cannot be restricted.

What You Can Control

The security matrix covers over 36 distinct actions across every part of the platform:

User Management — Control who can create, edit, delete, and invite users, and who can assign roles.

Claims Management — Separate permissions for creating, editing, and deleting claims. Control access to claim groups and collector group assignments independently.

Campaign Management — Granular controls for creating, editing, deleting, and finalizing campaigns. Manage campaign steps and costs separately, so your campaign designers don’t necessarily have budget access.

Organization Settings — Restrict who can modify organization-level settings, rename the organization, or delete it entirely.

Reporting & Data — Control who can view reports and who can export data. You might want collectors to see their own performance metrics but not download the full dataset.

Client & Compliance — Manage client upload permissions, documentation access, and compliance tools independently.

Security Matrix Access — Even the ability to manage the security matrix itself is a permission. You decide who can modify roles, groups, and user-level overrides.

Why This Matters for Collections

Collections operations have unique access control requirements that generic permission systems don’t handle well:

Regulatory compliance. Depending on your jurisdiction and the type of debt, certain actions may need to be restricted to licensed or trained staff. The security matrix lets you enforce those boundaries at the platform level instead of relying on process.

Client segregation. If you manage collections for multiple clients, you need to ensure that one client’s team can’t access another client’s data. Role-based groups combined with claim group permissions give you that isolation.

Audit trails. When every action is tied to a specific permission, and every permission is explicitly granted, you have a clear record of who was authorized to do what. This matters when regulators or clients ask questions.

Scaling your team. As your operation grows, the security matrix scales with you. New hires get a role, get added to the right groups, and they’re set. No need to manually configure dozens of settings for each person.

Enforced Everywhere

The security matrix isn’t just a settings page — it’s enforced at every level of the platform. Every page load, every action, every API call checks the user’s effective permissions before proceeding. This includes the real-time LiveView interface, so permissions are enforced even during active sessions without requiring a page reload.

If a user doesn’t have permission to see a menu item, they don’t see it. If they don’t have permission to perform an action, the button isn’t there. And if they somehow craft a direct request, the server rejects it.

Getting Started

The security matrix is available on all plans. By default, the built-in roles cover the most common scenarios. When you need more control, the matrix is there — you can start layering in groups and individual overrides as your operation requires.

If you’re evaluating Catchpole and access control is a priority for your team, request a demo and we’ll walk through how the security matrix maps to your specific organizational structure.

---

Catchpole is a collections recovery platform with unlimited agent accounts, multi-channel automation, and fine-grained access control for teams of any size.