Who can access billing
Admin-only by default with super_admin override.
By default, only admins can see and manage billing. Librarians and members can't.
Default access
- Admin — Full access to /admin/billing, can add/remove payment methods, change plans, cancel
- Librarian — No billing access at all (sidebar entry hidden)
- Member — No billing access
- Super_admin — Can see billing for any library, override admin actions if needed
Why only admins?
Billing decisions involve real money and contractual choices. Limiting access to admins keeps accidental cancellations (or accidental upgrades) from happening when a librarian is poking around in settings.
Per-tenant override
A super_admin can override the default and grant librarians billing access for a specific library:
Settings → Access → toggle "Billing" on for the Librarian role
This is rare — most libraries leave the default in place. The override is useful for organizations where the librarian is also the financial decision-maker.
Audit log
Every billing action is logged with timestamp and actor. Settings → Billing → Activity shows:
- Who changed what
- When the change happened
- Old and new values
Customer Portal access
Anyone with admin access to billing can open the Stripe Customer Portal — and once they're in, they can do anything Stripe allows (update card, change plan, cancel). Stripe doesn't have role-based access inside the Portal.
Locking down further
If you want to require a second admin's approval before billing changes, contact hello@tryshelfwise.com — we can enable two-person approval as a custom workflow.