Most permission systems start out simple. There is an admin, and there is everyone else. Then a customer asks if a person can approve a purchase order but not delete it, and the simple system stops working. If you want to design permissions that survive this kind of growth, here is a plan that keeps a few key ideas separate from the start, since they are easy to mix up early on and expensive to untangle later.
A permission is really answering two questions at once. What action is allowed, and in what part of the company. A regional manager who can approve purchase orders should only be able to do that for their own region's branches, not for every branch in the company. If your system only stores whether someone can approve purchase orders, yes or no, with no sense of place, you will end up adding that sense of place later as a special case for one customer, and it will never feel as clean as if you had planned for it. Build in a sense of place, such as store, branch, or department, from day one, even if your first customer only has one location.
It is tempting to create a brand new named role every time a customer asks for a slightly different mix of permissions. Regional approver. Junior regional approver. Regional approver, no delete. This grows out of control fast. A better plan is the opposite. Define small permission keys, one for each action that matters, such as approve purchase order or delete purchase order, and let a role simply be a named, reusable group of those keys that an admin puts together. A new mix of permissions then becomes a setting an admin changes, not new code someone writes.
Almost every system ends up with some account that skips all the detailed checks. That is fine, as long as it is one clear, well known account that gets logged every time it is used. A clear super user check that gets written to a log each time is something you can review later. A role that quietly has every single permission key, with no one noticing, is a problem waiting to be found during a security review.
When you launch a new part of the system, you should know who can use it before launch, not after. The safe plan is that a new permission key starts off denied for everyone except the super user, and access is given out on purpose, role by role. Systems that let a new feature default to open to anyone logged in, simply because nobody assigned a key yet, will eventually let the wrong people use it. This is usually found during an audit, not before one.
A log of actions tells you what already happened. It does not tell you what could have happened. Set a regular time, maybe once a quarter, to check which roles hold which keys, and ask why. This turns into a five minute check if your design uses small keys, and a multi day investigation if it does not.
Follow these five steps in order and your permission system will still make sense the day a customer asks for something you did not plan for.
Maybeach Tech designs permission systems for companies with many locations, departments, and approval chains. Get in touch and we will look at yours together.
