We are looking at implementing role-based access controls on some of our SaaS platforms due to entry into emerging markets. Does anyone have best practices to share?

356 views3 Upvotes4 Comments

Chief Technology Officer in Software, 51 - 200 employees
RBAC : Go with 

1. Department
2. Role
3. Permissions

Each user will have a role in a department and associated permissions. A user within the department can have multiple roles. Say a finance manager can have EDIT access to finance report but read only access to user data.

Keep in mind that there should be a restriction on admin role and an admin cannot create other admin.

Maintain audit log of each role and edits within roles.
COO in Healthcare and Biotech, 5,001 - 10,000 employees
Avoid the temptation to build access around individuals. Try to define roles, functions, groups up front so that you can plan appropriate access levels and differences needed.

That said, for an emerging market, plan on being nimble and needing to pivot often. So don’t over invest in this planning and design phase. Build flexibility into the design.
CTO in Transportation, 11 - 50 employees
We do have role based access control on our system where we allow our customers to define their own roles and assign to those roles different levels of access to the different areas and features of the application.

Access is granted to the feutres using standard REST (verb + url).

That way our code only needs to check for the permissions that way.

There are some frameworks out there that rely on pre established roles for the code to check for but that’s very limiting and difficult to maintain.
Executive Architect in Healthcare and Biotech, 10,001+ employees
Expanding on the prior excellent comments:  Don't overload roles with privileges that a user might need occasionally.  Grant users additional roles with specific privileges when needed, for example during a maintenance window.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42.6k views131 Upvotes319 Comments




Non-production DBs (Dev, Training, QA, etc.)30%


1.3k views1 Upvote