Back to features
Feature deep dive

Role-Based Access

Roles, access items and action-level security

Define roles as collections of access items, assign action-level access rules, hide sensitive entity details and secure critical actions with MFA, audit logs and admin controls.

Ofisync dashboard preview for Role-Based Access
ofisync.app / role-based-access

Access control

Action protected

Role includes 14 access items
Entity visible, billing hidden
Admin action requires MFA

Live business context

Define roles as collections of access items, assign action-level access rules, hide sensitive entity details and secure critical actions with MFA, audit logs and admin controls.

Roles
MFA
Audit

Why it matters

Access is defined at the action, role and entity level.

Role-Based Access in Ofisync separates users, roles and access levels. A role is a collection of access items, and each action can be governed by rules such as open access, user group access, user tag access, role-based access, user-specific access or admin-only access.

AdminsIT teamsCompliance teamsDepartment leads

Let users access the records they need while hiding sensitive parts they are not allowed to see.

Model access around roles, groups, tags, specific users and administrators instead of one broad permission switch.

Keep changes to roles, actions and protected records traceable through audit logs and security checks.

Guided workflow

From setup to daily execution.

1

Define access items

Create the access items that represent what users can view, create, edit, approve, delete, export or administer.

2

Build roles from access

Group access items into roles, then assign users, groups or tags depending on how the organization manages responsibility.

3

Secure and audit

Apply MFA and privileged controls to sensitive actions, then use audit logs to review who accessed, changed or attempted protected operations.

Access model fit

Built around roles as collections of access items.

A user may be allowed to open a client, project or billing record, but still be blocked from viewing financial fields, editing sensitive details, exporting data or approving an action. The access model needs to control the exact action, not just the page.

Broad roles expose too much data when users only need one part of an entity.
Teams need access rules for specific actions, not only module-level visibility.
Administrators need several access patterns, including groups, tags, roles, individual users and admin-only restrictions.
Security-sensitive actions need MFA, audit logs and traceability when roles or access rules change.
User story

How Role-Based Access works in practice.

1

Scenario 1

Access starts with items, not vague permissions

The system defines access items for actions users can perform. These actions can be as broad as viewing a module or as narrow as approving a specific record, exporting data or seeing a sensitive section.

2

Scenario 2

Roles are collections of access items

A role is built by combining access items. Instead of giving users a flat title with unclear power, admins decide exactly which actions belong to a role.

3

Scenario 3

Each action can use the right access level

An action can be open to all authenticated users, limited to a user group, allowed by user tags, controlled by role, restricted to named users or reserved for administrators.

4

Scenario 4

Users inherit power through roles, groups and tags

A user can receive access because of their assigned role, membership in a user group, assigned tags or direct inclusion on a user-specific access list.

5

Scenario 5

Entity access can still hide sensitive parts

A user may be allowed to open an entity while some fields, actions or sections remain hidden. This allows access to the record without exposing everything inside it.

6

Scenario 6

Admin access protects privileged operations

Some actions are reserved for administrators or privileged users. These can include role management, access rule changes, protected approvals or other high-risk operations.

7

Scenario 7

MFA strengthens sensitive access

Multi-factor authentication can be used to add security around login and sensitive actions, especially where privileged access or account security is involved.

8

Scenario 8

Audit logs make access accountable

The system can record who changed roles, who accessed protected records, who attempted restricted actions and which security-sensitive operations were performed.

9

Scenario 9

Access rules stay connected to real work

Because access is defined per action and can apply across entities, teams can protect clients, files, projects, billing records, documents, credentials and other modules with the same model.

Access scenarios

Where granular permissions protect daily work.

Access scenario 1

Action-level access control

An admin can define who can view, edit, approve, delete, export or perform another action using the access level that fits that action.

Access scenario 2

Entity access with hidden details

A user can have access to an entity while selected aspects of that entity remain hidden because their role or access items do not allow those details.

Access scenario 3

Privileged security controls

Admin-only actions, role changes and sensitive operations can require stronger protection, including MFA and audit logs.

Open Access allows all authenticated users to access an item without additional restrictions.
User Group Access restricts access to members of specific user groups defined in the system.
User Tag Access grants access based on assigned user tags or labels.
Role Based Access determines access from the user's assigned role and permissions.
User Specific Access restricts access to explicitly defined individual users.
Admin Access is reserved for system administrators or privileged users.

Inside access control

A security workspace for roles, users and protected actions.

The access workspace keeps users, roles, access items, access levels, MFA, privileged actions, entity visibility, hidden fields and audit logs connected so admins can define exactly who can do what.

Admins

Access items, role composition, MFA, admin-only actions and audit logs

Managers

User groups, user tags, assigned users and team-level action permissions

Users

Allowed entities, hidden fields, permitted actions and restricted operations

Access records

What defines roles and permissions

Users, roles, access items, user groups and user tags
Open Access, User Group Access, User Tag Access, Role Based Access, User Specific Access and Admin Access
Action-level permissions for view, create, edit, approve, delete, export and administration
Entity access, hidden entity sections, field visibility and protected actions
MFA status, privileged access checks, login security and audit events

Security movement

Actions Ofisync can prepare from access rules

Apply role-based access items when a user receives a role
Grant or restrict actions based on user groups, tags or explicitly selected users
Hide protected entity sections when the user's access does not allow them
Require MFA or elevated checks for privileged actions
Record role changes, access attempts and protected actions in audit logs

Access view

Role composition

Review which access items belong to each role and which users inherit those permissions.

Access view

Access level review

Check whether actions are controlled by open access, groups, tags, roles, specific users or admin-only restrictions.

Access view

Security audit

Review MFA activity, role changes, restricted action attempts and access to protected entity sections.

Ready to see it live?

Walk through Role-Based Access with an Ofisync specialist.

We will map the demo around your business workflow, show the connected modules and help you identify the fastest path to rollout.

Request Demo