Roles and Permissions
Best practices for role-based access control and row-level security in ERP-connected customer and vendor portals.
Design a Role-Based Access Model
Define roles by business responsibility, not by broad user groups. Typical production roles include Customer Viewer, Customer Approver, Vendor Coordinator, Vendor Compliance Reviewer, and Portal Admin. Role granularity helps you avoid over-permissioned accounts while still keeping administration manageable.
Implement Row-Level Security Rules
Row-level security should use immutable identifiers mapped from ERP records. Customer users should be filtered by customer account and optionally ship-to locations; vendor users should be filtered by vendor ID and buyer assignment where required. Server-side enforcement is mandatory so URL tampering cannot expose unauthorized records.
Use Separation of Duties for Approvals
For workflows that update ERP state, separate submit and approve privileges. This is especially important for returns approval, credit-impacting actions, and compliance overrides. Separation of duties improves audit readiness and reduces operational risk from mistaken or unauthorized changes.
Run Access Reviews on a Schedule
Review active users, role assignments, and exception grants at least quarterly. Remove stale users after supplier turnover or customer account changes. Align these reviews with ERP master-data reviews so portal access stays consistent with the latest account ownership.
Ready to build your first portal?
Request early access and we'll help you connect your ERP and launch a customer or vendor portal.