As your finance function grows, role-based access becomes essential. Zoho Books has 6 standard roles and unlimited custom roles. Setting them up well prevents accidental edits and protects your data.
What you'll learn
→ Standard roles → Custom roles → Two-factor authentication and security → Audit trailStandard roles
Admin: full access including settings, users, and integrations. Reserve for owners and senior finance only. Accountant: full transactional access, no settings, no user management. Best for the in-house bookkeeper or external accountant. Staff: data entry, view limited reports. Sales: invoices and customers, no purchases. Time Tracker: timesheets only. Project: project items only.
For most SMEs, a clean structure: 1 Admin (owner), 1 Accountant (finance lead), 2-4 Staff (data entry), and per-need Sales or Project users. Avoid making everyone Admin, it nullifies the access controls.
Custom roles
Settings → Users & Roles → New Role. Choose granular permissions: which modules (sales, purchases, inventory, banking), which actions (view, create, edit, delete), and which records (own, team, all). Custom roles handle the cases where standard roles are wrong-sized.
Examples: a Procurement role with bills and POs but no sales access; a Sales Manager role with sales view-all but only their own customer edit access. Document each custom role's purpose and audit annually for relevance.
Two-factor authentication and security
Enforce 2FA for every user. Settings → Security → Multi-Factor Authentication → Required. Zoho supports TOTP apps (Google Authenticator, Authy), SMS codes, and hardware keys. TOTP is more secure than SMS.
Set inactivity timeout to 30-60 minutes. Set password rotation every 90 days. Disable users immediately on staff exit, Zoho continues to charge per active user, so removal also saves money.
Audit trail
Reports → Activity Log. Every change in Zoho is logged: who, what, when. Filter by user, by record, by date range. Useful when investigating an unusual transaction or an unexpected report change.
Run a monthly audit log review for high-risk areas, journal entries, deletions, user role changes. Senior finance signs off on the review. The discipline catches both fraud and innocent mistakes early.
This guide is general information, not professional advice. For situations that involve specific facts, talk to your accountant, or hire one of ours from the marketplace.