October 23, 2014

Role-based Access vs. User-based Access

Written by

If you’ve shopped for business software, you’ve likely heard the terms “role-based” and “user-based” access, but may have wondered what they meant. We’re here to introduce you to these concepts as part of a series on commonly misunderstood terms that software buyers need to know.

Both role and user-based access are a subset of what’s called “access control.” Just like it sounds, access control limits who can access certain areas of a software system, and the actions they can perform. Access control is a standard security concept, and should be familiar to any user of business software, even if they are unfamiliar with the term.

What is User-Based Access?

User-based access, sometimes called user-based permissions, is a method of securing software and its features at the individual level. The most basic form of user-based access is a simple login and password combination that either grants or denies access. More advanced software systems include the ability to assign specific permissions to specific users. This approach has both benefits and drawbacks. User-based access allows more granular control of the system. However, such control can entail increased management work, as any changes to permission settings usually have to be done for each user. If you want to specify exactly which parts of a software system or database each employee can access, you’ll want to look for software that includes user-based access as a feature. Companies with security concerns or highly-flexible team roles will likely prefer this type of permission setting.

What is Role-Based Access?

Role-based access (or role-based permissions), adds another layer of categorization on top of what is provided by user-based access. Users are still given a login and password, but instead of their access being determined on an individual level, role-based access allows users to be assigned to groups that are in turn assigned particular capabilities. Examples of common groups include administrators, managers, super-users, users, etc. This approach has a few advantages over user-based access. For example, it is much easier to edit user capabilities in bulk, because changing the permissions of a particular role will change the settings for all users assigned to that role. Of course, there are drawbacks — if a user needs some, but not all, capabilities of a particular role, limiting that user will require the creation of a new, separate role. For companies with clearly structured hierarchies, and defined information-sharing policies, role-based access is likely the most efficient way to manage permission settings.

Which One Do I Need?

For most applications, role-based access is the superior choice, but more security-conscious firms may prefer a user-based approach for permissions. Ultimately, as with most software purchases, the best solution will be determined by the unique needs of your business. For more information about this and other software topics, check out the TechnologyAdvice blog, chat with us online, or give one of our product experts a call today for a no-obligation consultation.