We are looking at implementing role-based access controls on some of our SaaS platforms due to entry into emerging markets. Does anyone have best practices to share?

Applications & PlatformsData Privacy
2.2k viewscircle icon3 Upvotescircle icon4 Comments
Sort by:
Senior Enterprise Architect, Application Consulting in Healthcare and Biotech2 years ago

Expanding on the prior excellent comments:  Don't overload roles with privileges that a user might need occasionally.  Grant users additional roles with specific privileges when needed, for example during a maintenance window.

CTO in Transportation2 years ago

We do have role based access control on our system where we allow our customers to define their own roles and assign to those roles different levels of access to the different areas and features of the application.

Access is granted to the feutres using standard REST (verb + url).

That way our code only needs to check for the permissions that way.

There are some frameworks out there that rely on pre established roles for the code to check for but that’s very limiting and difficult to maintain.

COO in Healthcare and Biotech2 years ago

Avoid the temptation to build access around individuals. Try to define roles, functions, groups up front so that you can plan appropriate access levels and differences needed.

That said, for an emerging market, plan on being nimble and needing to pivot often. So don’t over invest in this planning and design phase. Build flexibility into the design.

Lightbulb on3
Senior Director Of Technology in Software2 years ago

RBAC : Go with 

1. Department
2. Role
3. Permissions

Each user will have a role in a department and associated permissions. A user within the department can have multiple roles. Say a finance manager can have EDIT access to finance report but read only access to user data.

Keep in mind that there should be a restriction on admin role and an admin cannot create other admin.

Maintain audit log of each role and edits within roles.

Lightbulb on2

Content you might like

I’m looking for a “Ransom Consideration Matrix” to use as a supplement to a ransomware response decision tree. Ideally, it would include factors such as: Reputation Impact Scope of Attack Disruption to Operations Threat Intel / APT Reliability Condition of Backups Long-Term Sustainability of BCP Does anyone have any examples of a graphical decision tree or matrix that incorporates some of these types of elements? This is to include in a playbook.

We are dealing with a specific issue in our VDI non-persistent environment, which operates using Omnissa Horizon (formerly VMware). We are employing a hybrid join for authentication that integrates ADFS and Entra ID.   Here are the details of our problem:   1. **Environment**: VDI non-persistent using Omnissa Horizon 2. **Authentication Method**: Hybrid join with ADFS and Entra ID 3. **Issue**: Users are experiencing difficulties authenticating to Microsoft 365 apps within the virtual machine. The authentication process gets stuck in a loop when attempting to access the smartcard. I would appreciate any insights or experiences from others who have encountered similar issues or have a similar environment working successfully.

What's your most indispensable cloud infrastructure tools to use in addition to what you get from GCP, AWS, Azure?

HashiCorp (Terraform, Vault, Packer, etc.)22%

Cloud infra automation (Ansible, Puppet, Chef, etc.)56%

APM (Datadog, AppD, SignalFX, NewRelic, etc.)10%

Others?10%

View Results

Has anyone implemented Zelle directly with EWS (Enterprise Web Services) instead of going through a reseller-hosted experience? What were the biggest architectural, compliance, and operational challenges you encountered, and how did you address them? Can you please share your views on below...

1. Integration Complexity (How did you handle real-time messaging and settlement flows with Zelle via EWS & what middleware or orchestration layers were required?)

2. Compliance & Risk: What additional regulatory or fraud controls did you need to implement without the buffer of a reseller? How did you manage OFAC screening, KYC, and transaction monitoring?

3. Customer Experience: Were there any trade-offs in terms of UI/UX or mobile app integration? How did you handle customer support and dispute resolution? 
4. Operational Overhead: What internal capabilities did you need to build or scale (e.g., 24/7 support, reconciliation, exception handling)? How did you manage updates and changes to the Zelle network?  
5. Cost-Benefit Analysis: Was the direct integration more cost-effective in the long run? How did you measure ROI compared to a hosted solution?

6. Vendor & Network Relationships: What was your experience working directly with Early Warning Services (EWS)? Were there onboarding or certification hurdles?

What are your organization’s drivers for implementing RegTech?

Support future growth36%

Automate manual processes59%

Demonstrate compliance49%

Reduce risk exposure43%

Improve customer experience16%

Reduce costs13%

View Results