12 min read
Roles and permissions
Want to learn how user roles and permissions work in access management? Discover how to set your company up for success.

User Roles and Permissions in Access Management

Link to this section

Access control management act as an authentication protocol. For companies operating online, it should be a standard approach to handling digital resources and data security.

Defining who can access your data and what functions can be made within this access is the key function of access control management. The protocol relies on the creation of users, roles, and permissions. Access to your digital platform is then granted to employees and customers according to a range of factors, based on which type of management approach you use.

User management is a key function in cybersecurity, allowing an administrative party to grant access levels based on factors such as job title, seniority, time or place, as well as company policies.

The importance of access management

Link to this section

Access management is cybersecurity in action. It creates a management system for organizations where specific employees (or customers, in some cases) can be granted access to sensitive online materials.

The admin team creates and individualizes access control groups and can then assign sets of “permissions” that outline both the scope of what resources a user can access and what functions they can perform with that resource. In this way, it acts as an authentication method.

The process of defining scopes and limitations of access helps to reduce potential security breaches, keep confidential information secure, and helps to maintain the reputation of the organization as trustworthy.

Some additional benefits of access management include:

  • Preventing bad actors from accessing sensitive data.
  • Monitor how users are accessing resources in real-time.
  • Boost cybersecurity and data protection.
  • Mitigate the risk of cyber theft.
  • Audit-proof the company by keeping servers compliant.

What are user roles?

Link to this section

When looking at how to grant access to digital resources across an organization, it’s helpful to unify your approach to control management. Roles provide a way to do this.

By grouping permissions (think of these as levels of access) under a ‘role’ and then assigning these roles to users and user groups, you effectively simplify data security protocols and create a community management process.

A role is a set collection of access grants that apply to community groups depending on a variety of factors such as shared responsibilities, seniority, or even time-location based. While a role may determine access permissions, the role itself does inherently contain permissions, as well as a name, a description, and a scope.

To simplify this, roles are assigned to a group of employees who all require access to similar data to complete their jobs.

The purpose of roles is to limit access and boost security. Employees will only be granted access to parts of the platform and digital resources that are necessary for them to do their job while lowering risks to other, perhaps more sensitive, aspects of the API.

For instance, as roles might be assigned to users based on their expected work tasks, those working in development might not have access to payroll, but have full access to create, edit, and delete code. Whereas people in accounts may be able to view the code, but not edit it.

Here there would be two roles created: one for the development team, and one for the accounts team. Each member of these teams would be assigned their ‘role’, and each member in this role has the same set of permissions.

What are user permissions?

Link to this section

Permissions are controlled by admins, who are responsible for assigning and adjusting roles and permissions within a company.

Think of permissions as the level and limits of what a user can do on the platform. It determines which aspects of the data can they view, which can they create, and which can they edit, as well as which aspects of the platform are completely inaccessible.

A user’s role determines what permissions they are granted. Permissions refer to the scope of what a user can do with digital resources, think of it as the limits of access granted to a user.

These are some common permissions:

  • Create resources
  • Delete resources
  • Modify resources
  • Download resources
  • Administrate forums (including the ability to edit forum topics and posts)
  • Publishing
  • Read-only
  • Search functions

Permissions and roles are inherently linked and permissions can be built upon by adding additional roles to a user. ****Because workloads can often be varied and expectations of a user may vary depending on background, experience, knowledge, and seniority, it is possible to assign multiple roles to one user.

Layering roles is what allows for the individualization of permissions.

How user roles and permissions work together

Link to this section

As roles are applied to a user dependent on their level of access needs, roles, and permissions are inherently linked. It wouldn’t make sense to have a role without a set of permissions, and the set of permissions is inapplicable without assigning roles to the user.

A simplified way to think about roles and their associated permissions is to consider what access the user would need. There are typically four access roles:

  • Full
  • Editor
  • Limited
  • Read-only

While the above won’t be the title of the role assigned to the user, they each come with a set of permissions. These are called access options. For example, the access option of editor may be granted to the administrator (role) so that they can edit the document, assign or delete tasks, and change tags (permissions).

Types of access control management

Link to this section

While there are several types of access control management systems, RBAC, ABAC, and PBAC are the three most common protocols. Learning how they differ and understanding the pros and cons of each will help you determine the best option for your company.

The first type of access control management is Roles Based Access Control or RBAC. With RBAC users are assigned a role based on factors such as title, job description, and related access needs. This assigned role then determines the access and associated permissions.

Next is the Attribute Based Access Control, or ABAC. It functions similarly to RBAC but rather than granting roles based on access needs or the employee’s position, access is determined by location-time factors of the attempted access, as well as factors like the type of resource being accessed.

The final system we’ll consider is Policy Based Access Control or PBAC. This is the most flexible of the three options and can be suited to geographical or time-based policy within the enterprise. It blends the user’s role with company rules and policies.

Let’s take a deeper look at all three.

This is the most well-known type of access control, and its popularity stems from its simplicity. With RBAC the scope of access or permissions is pre-determined and assigned to each user based on their position within the organization. Access control levels are typically based on the user’s job title.

Individualizing a user’s scope is only achievable through the layering of roles, ie assigning two or more roles to one user.

While this level of rigidity is helpful from a security perspective, it can lead to the creation of hundreds and thousands of roles that become difficult to manage in the long run. If flexibility of scope is important to maintaining the security of your data, ABAC or PBAC might be a better fit for your needs.

RBAC generally serves smaller companies best. The reason for this is that while RBAC offers a robust form of access control and cybersecurity, it is also generally easier to manage. But this simplicity is because fewer variables can be used. This can lead to less work for the IT department and lower associated costs.

  • The rigidity of a hierarchical structure
  • Increased administrative control
  • Easier to manage and monitor
  • A simplistic protocol makes the review process easier
  • Provides a lower level of cybersecurity than ABAC and PBAC
  • Its rigidity prevents individualization and management on a granular level

If a granular level of cybersecurity is needed for an organization to meet compliance obligations, ABAC may be more suitable than RBAC. But it does come with some drawbacks.

Stemming from RBAC, the approach is relatively similar, but there are some key differences here. The ABAC model allows for more flexible scope and permissions. While RBAC assigns permission based on role, ABAC assigns permission based on characteristics of the request, such as time or location, entitlement, or resource type.

Rather than basing access on the performance expectations of a user’s job position, ABAC instead revolves around the desired outcome of how the resource will be used.

Access levels within ABAC are environmentally charged, and this is what creates the baseline for what is accessible.

  • Granular control levels
  • Increased flexibility with access being granted based on user attributes (such as location)
  • Increased level of compliance
  • Still relatively simple to implement and use
  • Implementing ABAC is more difficult and complex than RBAC
  • The variables can make ABAC time-consuming

Policy Based Access Control, or PBAC, is the most granular and flexible approach to user management. This management type bases permission and scope on the rules and policies of the company. As these policies are updated, access rights can also be modified to remain both appropriate and secure.

This management type is relatively similar to ABAC, but here the policies of the company define what a user’s access rights are. However, PBAC is significantly more flexible than both RBAC and ABAC as it combines temporary, or time-place access rights with company policy.

PBAC allows for specific types of access to be granted to a user based on a set of policies, which may take into consideration things such as the user’s location, position, and seniority.

There are four main attributes that PBAC may take into consideration when determining the access rights of a user:

  • Subject attributes: e.g. the job title of a user
  • Object attributes: e.g. what type or resource is being accessed
  • Action attributes: e.g. what action is the user attempting to perform (reading, editing, etc.)
  • Contextual or environmental attributes: e.g. time, place, etc.

This increased level of customization is more time-consuming to set up than RBAC or ABAC. It also requires an enterprise to develop PEPs and PDPs (Policy Enforcement and Decision Points) to verify the credentials of users and act as authorization systems.

  • The most flexible and granular of all access control management systems
  • Standards-driven
  • Compliance is easily achieved
  • Reactive to company policies
  • The most flexible of the three approaches
  • Typically unnecessary levels of flexibility for small to medium organizations
  • The most time-consuming of the three approaches
  • Requires the development of policies that can be applied both broadly and maintain the specificity needed for high levels of cybersecurity

Best practices for user roles and permissions in access management

Link to this section

Determining how granular and flexible your enterprise’s approach to access control needs to be will help decide which management type is suitable.

Whether you land on RBAC, ABAC, PBAC, or any other type of access control management practice, there are a few key tips for implementing the best practices for access control. These will be particularly useful in the early stages.

Below is some advice on getting started and implementing your new approach as seamlessly as possible.

Take on the approach of least privilege. While it might seem like best practice to give as much access as a user may possibly need, this undermines the attempt at securing sensitive information. The long-term implications of oversharing access rights are creating a system that is more difficult to manage and makes it easier to access and compromise sensitive data.

Give due consideration to read-only groups. This application allows users to access data without permission to edit it. This can be useful for onboarding new employees, with increased permissions, such as editing, being granted later on when that user is promoted or responsibilities increase.

Make sure that your groups have a purpose. Name your groups accurately and give detailed descriptions of what the objectives of the group are. This streamlines the review process and makes sure everyone’s on the same page.

Pencil in regular reviews to remove old team members, and keep all information up to date.

Secure your access control management approach with a two-factor authentication process for optimal cybersecurity benefits.

How we approach user management at Kinde

Link to this section

Over at Kinde we’ve created a single dashboard approach to letting you in on all the inner workings of your company’s numbers and track who attempts to access what data in real time. Our approach to user management also allows you to use it as a tool to gain insights into your customers.

We’ve streamlined the process so that adding, managing, and reviewing users, roles, and permissions has never been simpler. We’ve also made it easier to migrate over from your current authentication system to a flexible access control management system, ensuring minimal disruption for your team and customers.

We’ve made getting set up with Kinde fast and easy. Use an SDK or API to quickly integrate Kinde into your product.

Interested? Get started for free or schedule a demo first.

See how Kinde compares to other authentication providers.

Get started now

Boost security, drive conversion and save money — in just a few minutes.