The Scenario
An agency builds a client portal for a mid-sized company. The managing director uses it to review project progress and approve invoices. It works well. Then the request comes in: “Can my finance manager also get access? But she should only see invoices, not the project details.” A week later: “Our marketing coordinator needs to see the project updates, but not the billing.”
The agency manually creates each new user, configures their access, and sends login details. When someone leaves the client’s team, the agency gets an email — sometimes weeks later — asking to remove their access. When someone changes role, another email. The agency is now an access administrator for every client’s internal team.
The Problem
When all portal access is managed by the service provider rather than the client, it creates a bottleneck that frustrates everyone involved.
The client cannot react quickly. A new hire joins and needs portal access, but it takes two days because the agency has to process the request. A staff member leaves and their access stays active until someone remembers to ask for it to be revoked. In the gap, a former employee still has access to confidential project data and billing information.
The agency absorbs administrative overhead that has nothing to do with delivering their service. Every access request is a support ticket that interrupts someone’s day. For an agency with 30 clients, each with three to five portal users, access management becomes a steady drain on time — and a security liability when it is not handled promptly.
The underlying issue is that the agency is managing permissions it does not have enough context to manage well. The agency does not know who the client hired last week, who changed roles, or who left. Only the client knows that. But the system requires the agency to act on every change.
The Approach
Delegated access gives each client the ability to manage their own portal users. The client’s primary contact — typically a director or operations lead — becomes an administrator for their organisation’s account. They can invite new users, assign roles, adjust permissions, and revoke access, all without involving the agency.
The system uses predefined roles rather than granular per-feature permissions. Keeping the role model simple is deliberate. Typical roles include a full administrator who sees everything, a finance role limited to billing and invoices, a project role limited to project status and deliverables, and a read-only role for stakeholders who need visibility without interaction.
The client administrator invites a team member by email address. The invitee receives a secure link, sets their password, and gains access at the assigned role level. If the administrator later changes their role, the change takes effect immediately. If someone leaves the company, the administrator revokes their access in seconds rather than sending an email and waiting for the agency to act.
From the agency’s perspective, the security model is enforced at the system level. The client administrator can only assign roles that exist within the predefined set. They cannot grant access beyond what the agency has configured for that client’s account. They cannot see other clients’ data. They cannot modify the role definitions themselves. The delegation is scoped — the client manages users within boundaries the agency controls.
An audit trail records every access change. The agency can see who was added, who was removed, who changed roles, and when. If a compliance question arises — “who had access to this data in March?” — the answer is in the log, not in someone’s email history.
The Outcome
The agency stops being an access help desk. Access requests no longer generate support tickets. New users are live within minutes instead of days. Former employees lose access the same day they leave, not weeks later.
Clients prefer the control. They are accustomed to managing user access in other tools they use — their email system, their accounting software, their CRM. Expecting them to email a third party for portal access feels like a step backwards. Delegated access brings the portal in line with how they manage everything else.
Security improves because response time improves. The gap between “someone left the company” and “their access was revoked” shrinks from days or weeks to hours or minutes. The audit trail provides the compliance evidence that regulated industries require without anyone needing to reconstruct it from emails.
The agency also gains insight into how clients actually use the portal. When clients manage their own users, the adoption data is richer. The agency can see that a client has added six users across three roles, which signals engagement. Or that a client still has only one user after six months, which signals a conversation worth having.
Who This Applies To
Any business that provides clients with portal or system access where the client’s team has more than one or two users. Agencies, managed service providers, SaaS platforms, consultancies, and professional services firms all encounter this pattern as their client relationships mature.
The need is strongest in sectors where staff turnover at the client is common, where compliance requires access audit trails, or where the client organisation is large enough that the service provider simply cannot keep up with access changes in a timely way.
Let Your Clients Manage Their Own Access
If your team is fielding access requests and manually provisioning portal users, the process belongs in your clients’ hands. We build role-based delegation systems that give clients control over their team’s access within boundaries you define.
Talk to us about adding delegated access to your client platform.