Midsize business

Role-based access control for CFOs & accounting departments

Meeting your goals for growth is one of the most rewarding feelings a business owner can experience. You’re hiring new employees, increasing revenue, and making a name for yourself. But as your business grows, so does your list of responsibilities.

If you’re reading this article, chances are your business has grown large enough that it’s no longer feasible for everyone in the company to have user access to the same financial information.

Your sales team needs access to certain numbers for reporting. Your accounting team needs full system access to revenue and expenses. Auditors and consultants need data, but not every last digit. As a CFO, it’s crucial to keep the right information in the right hands. What’s more, it’s the only way to do the job effectively.

Role-based access control (RBAC) solves this problem, allowing teams to share the workload while ensuring sensitive information is available only to the people who need it.

Why CFOs have embraced role-based access control and user permissions

RBAC systems (sometimes called user permissions or user roles) enable growing organizations to grant or restrict user access as leadership sees fit. Think of it as a key system in a hotel: Some keys only open one door, others grant access to the pool or gym, while the master key can open every door in the building.

The concept of the RBAC model originated in the early 1990s in IT management. But as software, data aggregation, and data cybersecurity have evolved over the past two decades, RBAC has become increasingly relevant—and necessary—for accounting departments.

The National Institute of Standards and Technology (NIST) reports that as of 2010, the majority of businesses with more than 500 employees use RBAC systems—and for good reason. Here’s a snapshot of how the RBAC model gives businesses an advantage:

  • Less risk of cybersecurity breaches and data leakage
  • Better cybersecurity compliance with customer data or industry standards
  • Streamlines operations by limiting possibilities of data inconsistencies or unnecessary user access
  • Increases scalability by setting role types to apply to old, new, or future employees

Let’s explore some of the benefits of RBAC in-depth.

How do user permissions and role permissions shape and streamline accounting?

As your accounting and operations teams grow, so does the need for the security and integrity of your data. While it’s important to trust employees with the information they can access, that doesn’t justify handing over the “master key” to a junior accountant.

For example, employees in accounts payable don’t need complete access to their company’s books. On the other hand, an AP manager should have access to more detailed information such as account balances and pending transactions. But they shouldn’t have as much access as the CFO, who has a window into the overall financial health of the business.

Bottom line: There is no one-size-fits-all approach to information access management in the digital era of accounting.

Fortunately, RBAC systems can handle these nuances while also streamlining operations. Instead of trying to administer lower-level user access control, RBAC lets CFOs align custom roles with the unique structure of the business. Role assignment ensures that each team member has a clearly-defined role within the organization, which keeps workflow organized without sacrificing security and integrity.

One reason the RBAC model may not seem necessary is that it appears easy to assign new users on an ad-hoc basis as employees join and leave the company. However, the time and effort it takes to manually set up and shut down individual users can quickly become unsustainable for a growing business.

Contrast this chaos with RBAC, which makes the role assignment of access rights systematic, repeatable, and scalable.

What are best practices for individual user and role permissions in accounting departments?

An RBAC system can only reach its potential when a team implements it properly. So, what responsibilities do you have to make that happen? Best practices for implementing RBAC in accounting departments boils down to four points that revolve around clarity and organization.

1. Establish clear definitions for individual users.

Employees shouldn’t have to waste time deciphering what their role permissions are. A rule of thumb to achieve clarity is to match the permission names to screen and action names.

For example: If the action in the product is “Raise Payment Request,” the permissions could be represented as “Process Payment.

2. Avoid creating too many different definitions of roles.

Bombarding your team with an endless list of roles defeats the purpose of the RBAC model. Left unchecked, role-based access control can quickly turn into user access control—the exact problem you want to avoid.

3. Make sure roles are user-agnostic

In order to maximize security and integrity, the creation and management of role permissions should not be influenced by users. Rather, these practices should be standardized—no special treatment.

4. Organize and train staff to observe these roles along with the corresponding limitations and user access.

Role assignment of user roles and permissions may raise questions such as:

  • Why don’t I have access to X data?
  • How much access does my junior accountant have?
  • Will these permissions ever change?

The best way to address this is with transparency from the get-go. Set up a meeting or share a detailed explanation that addresses potential questions and concerns before they arise. An open dialogue upfront can mitigate hours of confusion in the long run.

As you can see, the RBAC model gives you plenty of control over who can access your company’s sensitive data. But what if you want an even higher level of customization?

Access control lists, attribute-based, and rules-based access control (ACL, ABAC, RuBAC) for accounting departments

RBAC offers a simple, customizable approach to managing permissions within accounting departments. However, there are a few variations that can provide additional granularity.

Access control lists (ACL)

An ACL lets accounting departments define access rights by an individual user or user group to a specific data set or document. For example, an ACL could enable users from one department to edit a spreadsheet, while users from another department can only view the spreadsheet.

Attribute-based access control (ABAC)

ABAC is a way to define user access control by specific user attributes. These attributes, such as location, time of day, or user department, can determine whether a user’s role request will be granted.

Rules-based access control (RuBAC)

As the name implies, RuBAC determines user access by preset rules rather than individual users or groups. Let’s say you only want employees to have access to files between 8 a.m. and 6 p.m. Rather than locking that person out manually, RuBAC will apply the “rule” automatically every day until you change it.

Note that RuBAC may need to be programmed into your network in the form of code as opposed to simply checking a box.

If your accounting department requires a more dynamic approach to managing user permissions, one of these models may be in your best interest. Use them in tandem to increase control based on your needs.

Keep in mind: ACL, ABAC, and RuBAC will increase the time and effort required to create and maintain the necessary permissions.

Share the Workload, Not Sensitive Information

For a growing business, delegating responsibilities is crucial, especially within the accounting department. RBAC enables team members on various levels to accomplish their work while also maximizing the security and integrity of sensitive data.

RBAC systems do more than bolster cybersecurity, though—they streamline the management of user permissions by making them systematic and scalable. Just make sure you keep the definitions of those permissions clear and organized.

In short: RBAC is a safe, smart system access model for your accounting department to manage its workload. Remember the hotel key analogy: Not everyone needs the master key to make the most of their stay.

Looking for something else?


From big jobs to small tasks, we've got your business covered.

Firm of the Future

Topical articles and news from top pros and Intuit product experts.

QuickBooks Support

Get help with QuickBooks. Find articles, video tutorials, and more.