Access Controls & IAM
Role-based permissions and authentication security
TuskCPA uses role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege to ensure only authorized users can access specific data and features.
Authentication Methods
Multi-Factor Authentication
Required for all users. Supports authenticator apps, SMS, and hardware security keys (FIDO2).
Single Sign-On (SSO)
Enterprise plans support SAML 2.0 SSO with providers like Okta, Azure AD, and Google Workspace.
Session Management
Sessions expire after 24 hours. Automatic logout after 30 minutes of inactivity. Force logout on all devices option.
Password Policies
Minimum 12 characters, complexity requirements, breach detection, and 90-day rotation for sensitive roles.
Role-Based Access Control (RBAC)
Users are assigned roles that determine what data they can access and what actions they can perform. Permissions are granular and customizable per firm.
Standard Roles
Firm Owner / Admin
Full access to all features, clients, and settings. Can add/remove users, manage billing, configure integrations.
Partner / Manager
Access to all clients. Can review work, approve deliverables, manage team members. Cannot modify billing or firm settings.
Senior Accountant
Access to assigned clients only. Can prepare returns, review junior staff work, communicate with clients.
Staff Accountant
Access to assigned clients. Can prepare work products but cannot send to clients without review.
Administrative Staff
Limited access to client financial data. Can manage scheduling, send communications, track documents.
Client User
Access limited to their own company data only. Can upload documents, view reports, communicate with firm.
Custom Roles
Enterprise plans can create custom roles with specific permission combinations. Control access at granular level.
Granular Permissions
Client Management
- • View client list
- • Add new clients
- • Edit client information
- • Delete clients
- • View client financial data
Document Management
- • Upload documents
- • View documents
- • Download documents
- • Delete documents
- • Request documents from clients
Task Management
- • Create tasks
- • Assign tasks to others
- • Complete tasks
- • View team workload
- • Modify task priorities
Communication
- • Send emails to clients
- • View communication history
- • Create email templates
- • Schedule automated emails
- • Access internal notes
Financial Data
- • View financial statements
- • Access tax returns
- • See bank account numbers
- • View SSNs/EINs
- • Export financial data
Administration
- • Add/remove team members
- • Configure integrations
- • Manage billing
- • Access audit logs
- • Modify firm settings
Multi-Factor Authentication (MFA)
MFA is required for all users to add an extra layer of security beyond passwords.
Supported MFA Methods
- Authenticator Apps (Recommended): Google Authenticator, Authy, Microsoft Authenticator, 1Password
- SMS Text Messages: Receive 6-digit codes via text (available as backup method)
- Hardware Security Keys: YubiKey, Google Titan, or any FIDO2-compliant device
- Backup Codes: One-time use codes for emergency access
Single Sign-On (SSO)
Enterprise customers can configure SAML 2.0 SSO to use their existing identity provider.
Supported Identity Providers
Okta
Azure AD
Google Workspace
OneLogin
Auth0
Ping Identity
IP Allowlisting
Restrict access to TuskCPA to specific IP addresses or ranges. Perfect for firms requiring users to access only from office networks or VPN.
Audit Logging
All user actions are logged for security and compliance. Admins can review who accessed what data and when.
Logged Events Include
- • User logins and logouts
- • Failed login attempts
- • Document access and downloads
- • Client record modifications
- • Permission changes
- • Integration connections
- • API access
- • Data exports
Need Custom Access Controls?
Enterprise plans include custom roles, SSO, and dedicated security support.
Contact Sales