Skip to main content
Xoxoday Plum provides a dedicated View Only role that grants auditors and compliance personnel read-only access to campaigns, redemptions, transactions, and user actions — with no ability to edit data or initiate transactions.
When audit season arrives or a compliance review is underway, the last thing your organisation needs is unrestricted access shared across roles. Xoxoday Plum addresses this with a purpose-built View Only role designed specifically for auditors, finance controllers, and compliance officers. The View Only role grants read-only visibility across all key areas of the rewards platform — including campaigns, redemption records, transaction histories, and user action logs. Holders of this role cannot create, edit, or delete any data, and they cannot initiate transactions of any kind. This clean separation of duties ensures that the individuals reviewing your data cannot inadvertently alter it.

Tamper-Proof Audit Trails

Xoxoday Plum maintains comprehensive, tamper-proof logs that capture every action taken within the platform. From campaign creation to individual redemptions, every event is timestamped and attributed to a specific user. This level of traceability is essential for organisations working toward or maintaining certifications such as ISO 27001 or SOC 2 Type II, where demonstrating controlled access and documented activity is a core requirement. If your organisation uses an HRMS like Workday, SAP SuccessFactors, or Darwinbox, the audit trail within Xoxoday Plum complements the access logs those systems already capture — giving your compliance team a unified picture of who authorised what and when, across both HR and rewards workflows.

Practical Use in a Compliance Review

Consider a scenario where an internal audit team needs to verify that reward disbursements during a sales incentive campaign were authorised and correctly processed. With the View Only role assigned, an auditor can independently navigate the campaign dashboard, filter transactions by date range, and export redemption reports — all without involving the rewards administrator. The auditor’s own session activity is logged as well, maintaining a complete chain of custody for the review. This self-service access reduces bottlenecks during audit cycles, speeds up evidence gathering, and removes any ambiguity about whether logs could have been modified after the fact.

Role Assignment and Access Management

Administrators assign the View Only role through Xoxoday Plum’s role-based access control (RBAC) settings. Access can be scoped and revoked at any time, meaning temporary auditor access during a quarterly review does not linger beyond its intended window. Combined with Xoxoday Plum’s SSO integrations, organisations can enforce consistent identity and access policies across their entire toolstack — ensuring the principle of least privilege applies to every user, including those who only need to observe. Learn more: Xoxoday Plum Help Centre — Financial

How does role-based access control work in Xoxoday Plum?

Understand how administrators configure RBAC to enforce least-privilege access across campaigns, budgets, and user management.

Does Xoxoday Plum maintain transaction logs for reporting?

Learn how Xoxoday Plum records and surfaces transaction data for finance reporting, reconciliation, and regulatory evidence.