Organization-Level Access Controls

Canopy's organization-level access controls enable multi-institutional lending scenarios by restricting data visibility and access based on organizational ownership. This feature allows lenders, partner banks, and loan buyers to securely access only the accounts and loans relevant to their institution while maintaining appropriate data boundaries across organizations.

The system implements account-level ownership with automatic inheritance to all associated loans, ensuring that users only see borrowers and loan data that belong to their organization or that they have legitimate access to view.

Key Capabilities

Account-Level Ownership: Every account is associated with an owning organization, with all loans under that account automatically inheriting the same organizational association.

Flexible Access Rules: The system supports multiple access patterns including full administrative access, originator read-only access, and current owner access with automatic revocation upon transfer of ownership.

Secure Data Boundaries: All API endpoints and UI views automatically enforce organization-level visibility filters, preventing unauthorized access to data outside a user's permitted scope.

Ownership Transfer: Administrative users can transfer account ownership between organizations while preserving appropriate historical access rights for the institution that originated the credit.

Use Cases

Multi-Bank Origination Programs: A fintech lender working with multiple partner banks can grant each originating institution access to view and monitor only the loans they originated, while the fintech maintains centralized servicing operations and access to all loans. For example, when Bank A originates loans through your platform, their users can log into Canopy OS and see only their originated accounts without viewing loans from Bank B or Bank C.

Loan Portfolio Sales: When selling loans to debt buyers or institutional investors, you can seamlessly indicate that ownership while maintaining data access boundaries. The loan buyer gains full visibility into their purchased accounts, while the originating bank retains read-only access to loans they originated, which is often necessary for regulatory purposes. Previous owners of a given loan automatically lose access unless they were also the originating institution, ensuring clean data boundaries after loan buying & selling transactions.

Access Control Rules

Organization Types & Permissions

Organization Types	Permissions
Super Admin Organization	Full read and write access to all accounts and loans across all organizations Can transfer account ownership between organizations Can modify any account or loan data regardless of organizational ownership
Originating Lender Organizations	Permanent read-only access to accounts and loans they originated Access is retained even after ownership transfers to other organizations Cannot modify account or loan data (read-only permissions only)
Current Owner Organizations	Read-only access to accounts and loans they currently own Access is automatically revoked when ownership is transferred to another organization Exception: If the organization is also the originator, they retain permanent read-only access

API Enforcement

All GET endpoints automatically filter results based on the requesting user's organizational access rights. Callers will only receive data for accounts and loans they are permitted to view.

All modification endpoints (POST, PUT, PATCH, DELETE) are restricted to Super Admin organizations only, ensuring data integrity and preventing unauthorized changes.

Requests for data outside an organization's access scope return a 403 Forbidden response or empty result set, depending on the endpoint.

Account Creation & Ownership

When creating new accounts via the API, you can specify the owning organization using the organization parameter:

{
  // ... other account fields
  "originating_organization_name": "Bank A",
}

If no organization is specified, the account will be associated with the requesting user's default organization.

Ownership Transfer

Super Admin organizations can transfer account ownership using the dedicated ownership transfer endpoint:

{
  "new_owner_organization_name": "Bank B"
}

Upon transfer:

The new organization becomes the owner and gains read-only access
The previous owner loses access (unless they are also the originator)
The originating organization retains permanent read-only access
Notifications are sent to all affected organizations

Canopy OS Experience

Filtered Views: Users logging into Canopy OS will only see accounts, loans, and borrower data associated with their organization's access rights. Navigation and search results are automatically filtered to respect organizational boundaries.

Organization Context: Account and loan detail pages display relevant organizational metadata, including the originating organization and current owner (when different), helping users understand the full context of each loan.

Restricted Actions: Users from non-Super Admin organizations will see view-only interfaces with modification actions (edit buttons, workflow triggers) hidden or disabled, clearly indicating their read-only access level.

Notifications & Reporting

Transfer Notifications: Notification events are automatically sent when account ownership changes, notifying all impacted organizations about access changes and new ownership assignments.

📣
Make sure to register for these notifications using the configure notifications endpoint with ACCOUNT_OWNERSHIP_TRANSFERRED as the notification type

Scoped Reporting: All reports and analytics automatically filter results based on the viewer's organizational access rights, ensuring users only see metrics and data relevant to their institution.

Organization Grouping: Reports support filtering and grouping by organization where applicable, enabling institution-specific analysis and performance tracking.