Designing access control (Permissions) for enterprise app – SaaS app

Designing access control (permissions) for an enterprise app is pivotal as these applications keep on evolving by the time the company grows.

Being a designer understanding the access control helps to design user management screens. I am sharing some concepts and ideas based on my long experience in designing SaaS applications.

ACL (Access Control List)

It is a permission-based access control where the user is allowed to perform particular operations. No role is given to the user in ACL but access to a set of operations is given to the different user as he/she is on board.

Access Control List Diagram - Reality On web

RBAC (Role-based access control)

ACL is good for a small set of users but managing users will be cumbersome as users of applications grow. RBAC is an alternative approach to manage users without effort as permissions to perform certain operations is grouped as role. In this case changes of permissions are made on roles that are applied globally within the role. You need not change the permission of each user

RBAC Diagram in Reality On Web

GBAC (Group-based access control)

RBAC approach becomes inconvenient as the product gets more complex and starts serving many users. Imagine you are trying to onboard new branch of the company and you have to assign roles to hundreds of users one by one. 

Within the GBAC model, you can add groups before assigning roles, and role policy is based on the group it will simplify permission control without efforts.

GBAC Diagram in Reality on Web

Inheriting Permissions

Super admin may want to assign a sub-admin role in a product with a large user base to allow micro permission management. Permission within a group can be inherited in this access control 

Inheriting Permission Diagram in Reality on Web

Author: Gopal Juneja

A UX/UI enthusiast living in India Delhi having 18+ years of industry experience to use in beautiful design and handsome front end coding.

Leave a Reply

Your email address will not be published. Required fields are marked *