Who This Guide Is For
This guide is for operations leads and project managers implementing access controls in a new or existing system. You need to define who can see what, who can edit what, and who can do nothing at all — and you need the system to enforce these rules consistently rather than relying on people to follow an honour system.
Before You Start
You should have a system that supports role-based access or is being built with it. You should also have a list of everyone who will use the system and a general sense of what each person needs access to. If you are implementing access controls as part of a broader system rollout, read How to Roll Out a New Internal System alongside this guide.
Step 1: List Your Actual User Types
Forget job titles. Focus on what people do in the system. A “Marketing Manager” and a “Sales Manager” might have identical system needs, while two “Analysts” might need completely different access depending on which data they work with.
Group users by what they need to do, not what their business card says. Common functional groups:
- Full administrators — can see and change everything, manage users, and configure the system. Usually one to three people.
- Operational users — work in the system daily, create and edit records within their scope, but cannot change system configuration.
- Viewers — need to see data and reports but do not create or edit anything.
- External users — clients or partners who access a subset of data relevant to them. Cannot see other users’ data.
Most systems need three to five roles. If you are defining more than seven, you are likely creating unnecessary granularity that will be difficult to maintain.
Step 2: Define Permissions Per Role
For each role, specify what they can do using a permission matrix. The matrix covers three dimensions:
- What data they can access (their own records, their team’s records, their client’s records, all records)
- What actions they can perform (view, create, edit, delete, export, approve)
- What system areas they can reach (projects, billing, reports, user management, settings)
Write the matrix out explicitly. Example for a client portal:
| Permission | Admin | Team Member | Client |
|---|---|---|---|
| View all projects | Yes | Own projects only | Their projects only |
| Create requests | Yes | Yes | Yes |
| Edit any request | Yes | Own requests only | Own requests only |
| View billing | Yes | No | Their billing only |
| Manage users | Yes | No | No |
| Export reports | Yes | Yes | Their reports only |
This matrix becomes the specification your development team implements. Ambiguity in the matrix creates ambiguity in the system. If a cell says “maybe” or “depends,” resolve it before implementation.
Step 3: Implement the Principle of Least Privilege
Start every role with no access and add permissions only as justified. This is the opposite of how most systems are configured, where users get broad access and restrictions are added retroactively when someone sees something they should not.
For each permission you grant to a role, ask: “What happens if this role does not have this permission?” If the answer is “they cannot do their job,” the permission is justified. If the answer is “it would be inconvenient,” consider whether the inconvenience outweighs the risk.
Pay particular attention to delete and export permissions. Delete is irreversible in most systems. Export creates copies of data outside the system’s access controls. Both should be restricted to the smallest group that genuinely needs them.
Step 4: Test With Real Scenarios
Before rolling out, test every role by logging in as a user with that role and attempting every action they should be able to do and several they should not.
Create a test checklist for each role:
- Positive tests: can they view their projects? Can they submit a request? Can they see their reports? (These should all succeed.)
- Negative tests: can they view another client’s data? Can they access the admin panel? Can they delete a record they should not? (These should all fail with an appropriate message, not a system error.)
Test edge cases: what happens when a user is assigned to two projects with different sensitivity levels? What happens when a user’s role changes — does their access update immediately? What happens when someone is removed from a project — can they still see historical data they previously accessed?
Fix any failures before launch. A user who discovers they can see data they should not will lose trust in the system’s security. A user who cannot access something they need will work around the system rather than through it.
Step 5: Document and Maintain
Create a role documentation page that describes each role, what it can do, and who should be assigned to it. This documentation serves two purposes: it helps new users understand what they will see in the system, and it helps administrators assign the correct role when onboarding someone.
Establish a review cadence. Quarterly, review the user list and verify that everyone has the appropriate role. Common drift patterns:
- Users who changed roles in the business but kept their old system role
- Users who were given temporary elevated access for a project and never had it revoked
- Users who left the organisation but were not deactivated
Audit access logs if your system supports it. Unusual patterns — a user accessing data outside their normal scope, or a spike in export activity — may indicate a role misconfiguration or a more serious issue.
Common Mistakes
- Too many roles. Every additional role is maintenance overhead. If two roles differ by a single permission, consider whether they can be merged with the broader permission applied to both.
- Granting admin access to avoid support requests. When someone cannot access something, the easy fix is to make them an admin. The correct fix is to give them the specific permission they need. Admin access is the most over-granted and most dangerous role in any system.
- No negative testing. Testing that users can do what they should is half the job. Testing that they cannot do what they should not is the other half, and it is the half most often skipped.
- No offboarding process. When someone leaves, their access should be revoked within hours, not discovered during a quarterly review. Build user deactivation into your offboarding checklist.
- Set-and-forget permissions. Roles need maintenance as the business evolves. A role that was correct six months ago may grant access to features that have been added since. Review quarterly.
What Good Looks Like
A well-implemented RBAC system looks like this: every user sees exactly the data and features they need for their work, and nothing else. New users are assigned a role at onboarding that gives them appropriate access from day one. When roles change, access updates promptly. Administrators can answer “who can access this data?” in seconds. Nobody has more access than their job requires, and nobody has less.
Next Steps
If you are setting up access controls as part of a password vault deployment, How to Configure a Password Vault covers credential-specific access. For the broader system rollout, How to Roll Out a New Internal System covers deployment. If you want access controls designed and implemented for your system, get in touch.
Alex
I’m a software developer and CEO of Digital Royalty, helping growing teams scale their SaaS platforms without losing quality, visibility, or control. I focus on building structured, maintainable systems with clear processes, reporting, and accountability. With over a decade of experience across agency and in-house roles, I specialise in delivering long-term, scalable solutions that support complex, evolving products.