Navan's enterprise tier provides granular role-based access control, configurable travel policies, and multi-tier approval workflows. The platform enforces in-policy vs out-of-policy bookings at the point of purchase — travelers see policy-compliant options highlighted and must justify out-of-policy selections through approval chains. This skill covers the admin role hierarchy, policy rule configuration, department-scoped access, and API-driven policy management.
navan-install-auth)Global Admin
├── Travel Admin — Manage travel policies, view all bookings
├── Expense Admin — Manage expense policies, approve/reject reports
├── Finance Admin — View spend analytics, export financial reports
├── Department Manager — Approve bookings/expenses for direct reports
├── Arranger — Book travel on behalf of other employees
└── Traveler — Book own travel within policy, submit expenses
| Role | Book Travel | Approve | View All Bookings | Edit Policies | Manage Users |
|---|---|---|---|---|---|
| Global Admin | Yes | Yes | Yes | Yes | Yes |
| Travel Admin | Yes | Yes | Yes | Yes | No |
| Expense Admin | No | Yes | Expenses Only | Expense Only | No |
| Finance Admin | No | No | Yes (read-only) | No | No |
| Dept Manager | Yes | Own Dept | Own Dept | No | No |
| Arranger | Others | No | Arranged Only | No | No |
| Traveler | Self | No | Own Only | No | No |
const accessToken = process.env.NAVAN_ACCESS_TOKEN!;
// Retrieve current travel policy
const policyRes = await fetch('https://api.navan.com/v1/travel-policies', {
headers: { 'Authorization': `Bearer ${accessToken}` }
});
const policies = await policyRes.json();
// Create a department-specific policy
const newPolicy = await fetch('https://api.navan.com/v1/travel-policies', {
method: 'POST',
headers: {
'Authorization': `Bearer ${accessToken}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
name: 'Engineering Department Policy',
department_ids: ['dept-eng-001'],
rules: {
flight: {
max_price: 800,
cabin_class: 'economy',
advance_booking_days: 14,
allow_premium_economy: true,
allow_business_class: false
},
hotel: {
max_nightly_rate: 250,
max_star_rating: 4,
preferred_chains: ['marriott', 'hilton', 'hyatt']
},
car_rental: {
max_daily_rate: 75,
max_class: 'intermediate',
preferred_vendors: ['enterprise', 'national']
},
out_of_policy: {
action: 'require_approval', // 'block' | 'require_approval' | 'warn'
require_justification: true,
auto_escalate_above: 1500 // Auto-escalate to finance above this amount
}
}
})
});
// Configure multi-tier approval chain
const approvalWorkflow = await fetch('https://api.navan.com/v1/approval-workflows', {
method: 'POST',
headers: {
'Authorization': `Bearer ${accessToken}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
name: 'Standard Travel Approval',
applies_to: ['booking', 'expense'],
tiers: [
{
order: 1,
approver_type: 'direct_manager',
conditions: { min_amount: 0 },
auto_approve_below: 200,
timeout_hours: 48,
timeout_action: 'escalate'
},
{
order: 2,
approver_type: 'department_head',
conditions: { min_amount: 1000 },
timeout_hours: 72,
timeout_action: 'escalate'
},
{
order: 3,
approver_type: 'finance_admin',
conditions: { min_amount: 5000 },
timeout_hours: 24,
timeout_action: 'notify_global_admin'
}
],
out_of_policy_override: {
always_require_tier: 2,
justification_required: true
}
})
});
// Bulk role assignment for department onboarding
async function assignDepartmentRoles(
departmentId: string,
userEmails: string[],
role: string
): Promise<void> {
for (const email of userEmails) {
const res = await fetch('https://api.navan.com/v1/users/role-assignment', {
method: 'POST',
headers: {
'Authorization': `Bearer ${accessToken}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
email,
role,
department_id: departmentId,
effective_date: new Date().toISOString()
})
});
if (!res.ok) {
console.error(`Failed to assign ${role} to ${email}: HTTP ${res.status}`);
} else {
console.log(`Assigned ${role} to ${email} in dept ${departmentId}`);
}
}
}
// Example: onboard engineering managers
await assignDepartmentRoles('dept-eng-001', [
'manager1@company.com',
'manager2@company.com'
], 'department_manager');
# List all users with admin roles
curl -s -H "Authorization: Bearer $NAVAN_ACCESS_TOKEN" \
'https://api.navan.com/v1/users?role=admin&limit=100' | python3 -m json.tool
# Get policy violations report
curl -s -H "Authorization: Bearer $NAVAN_ACCESS_TOKEN" \
'https://api.navan.com/v1/reports/policy-violations?start_date=2026-01-01' \
| python3 -m json.tool
A fully configured RBAC system with department-scoped travel policies, multi-tier approval workflows, and role assignments for the organizational hierarchy. Travelers see policy-compliant options at booking time, out-of-policy requests route through the approval chain, and admins have audit visibility into policy violations.
| Error | Code | Solution |
|---|---|---|
| Insufficient admin permissions | 403 | Requesting user needs Global Admin or Travel Admin role |
| Department not found | 404 | Verify department_id exists; create via admin dashboard first |
| Conflicting policy rules | 409 | Two policies targeting the same department; deactivate the old one first |
| Invalid approval chain | 400 | Ensure tier order is sequential and approver_type values are valid |
| User not found | 404 | Verify email matches an active Navan user; check SCIM sync status |
Check a user's effective policy:
curl -s -H "Authorization: Bearer $NAVAN_ACCESS_TOKEN" \
'https://api.navan.com/v1/users/user@company.com/effective-policy' \
| python3 -m json.tool
Export policy compliance summary:
curl -s -H "Authorization: Bearer $NAVAN_ACCESS_TOKEN" \
'https://api.navan.com/v1/reports/policy-compliance?period=monthly' \
| python3 -m json.tool
After configuring RBAC, see navan-security-basics for SSO/SAML enforcement and credential hardening, or navan-observability for monitoring policy compliance and booking patterns.