Akaunting security should focus on strict role separation, protected API access, and hardened admin operations.
¶ 1) Harden roles and permissions first
Akaunting supports custom roles and granular permissions. Start by removing broad access from default operational users and granting only what each function needs.
High-impact controls:
- keep only a very small number of users with admin-level access
- create role-specific accounts for bookkeeping, invoicing, and reporting
- avoid shared admin accounts
- review role permissions after installing new apps/modules
¶ 2) Protect authentication and admin actions
Akaunting documentation includes two-factor controls in role/permission capabilities. Enable and enforce 2FA for all privileged users.
Also:
- keep the instance behind HTTPS only
- use strong unique passwords and rotate them for admin users
- disable or remove stale users immediately
¶ 3) Lock down API and integrations
Akaunting permissions apply to API access. Treat API users as privileged identities.
Recommended:
- create dedicated API users per integration
- restrict API users to the minimum required permissions
- rotate API tokens/keys on a schedule
- revoke API credentials that are no longer used
¶ 4) Database and host hardening
Akaunting stores sensitive accounting records, so host-level hardening matters.
- do not expose the database directly to the internet
- run with a dedicated DB user and least privileges
- keep system and package updates current
- back up DB and uploads and test restores regularly
¶ 5) Operations and monitoring
- monitor failed logins and permission changes
- monitor role/app changes done by administrators
- document incident response for compromised user/API accounts
- run periodic access reviews (monthly/quarterly)
- Akaunting Help Center: Defining Roles and Permissions: https://akaunting.com/hc/docs/users-and-roles/defining-roles-and-permissions/
- Akaunting Help Center: Roles and Permission Levels: https://akaunting.com/hc/docs/users-and-roles/roles-and-permission-levels/
- Akaunting Help Center (Developers): Permissions and ACL model: https://akaunting.com/hc/docs/developers/permissions/
Any questions?
Feel free to contact us. Find all contact information on our contact page.