Enhancing user experience and access control in a complex SaaS Roles & Permissions system.

The Challenge

Protect is the leader in Enterprise Risk Management software and services across the APAC, EMEA, and North America regions. Used by Government and Financial Services Protecht.ERM allows companies to integrate risk management into their day-to-day activities seamlessly.

Protecht ERM  faced a critical issue with its Roles and Permissions system. The existing setup was poorly structured, with an overwhelming list of over 3000 permissions for each role.

The company has received many complaints from customers about the complexity and poor user experience of their Roles feature.  Manually adding permissions one by one became daunting, making it challenging for administrators to activate or monitor active licenses effectively. This disorganized approach made it impossible to have efficient management of access control.

A dedicated space to view, assign, and manage Roles and Permissions was seen as highly desirable. Customers were looking for a way to streamline this process.

Protecht's implementation specialists and advisers were inundated with complaints and requests for assistance in configuring organization roles and permissions. Onboarding new customers could take up to nine (!) months, primarily due to the complexities of roles and permissions setup.

Also,  a new business model was initialed that charges customers based on the quantity and types of roles and licenses.

In the early project stages, we engaged in user research to understand how our enterprise customers preferred to assign permissions to roles. Users expressed a critical need to maintain granular control over access, particularly for sensitive records, emphasizing the importance of selectively sharing information.

They needed a quick way to view active permissions for each role and an easy method to manage them. This feedback guided our UX redesign, focusing on user-friendly features to streamline access control management.

We also teamed up with the Lead Architect to tackle the technical side of the project. Together, we ensured a seamless transition for our customers' existing data into the new system, maintaining data security and integrity throughout the process.

Informed by user research and insightful stakeholder interviews, we proceeded to define the categories of roles and permissions. Additionally, we developed a set of rules and established a clear taxonomy governing the process of assigning permissions to roles.

This meticulous approach allowed us to create a well-structured and intuitive system, aligning precisely with the needs and expectations of our users while ensuring consistency and efficiency in managing access control.

We tested two design concepts to optimize our Roles & Permissions system. 

For the first concept, we assigned a set of permissions based on Read/Write or Edit rights, organized by access rights and specific actions tailored to each product module. Admins could create new rules, allowing for a high level of control over role permissions. The idea behind this concept was to initially grant permissions at a more generalized level, with the ability for administrators to create new rules if necessary.

However, feedback from usability testing showed that customers wanted to see all permissions upfront and to clearly understand what permissions were included in Read/View/Edit groups. They found it difficult and confusing to create a new rule without proper visibility.

The Refined Design: Incorporating User Feedback

Based on customer feedback, the second concept displays all permissions for each Resource module upfront, grouped together to create a clear visual hierarchy. The predefined number of permissions from the first concept was implemented into the second one through templates (built-in roles) for different types of roles, making the setup process easier. Additionally, the ability to change the number of permissions in a visual and flexible manner was also proven.