Enhancing UX and access control in a complex SaaS Roles & Permissions system.

The Challenge

Protecht, a leader in Enterprise Risk Management software, faced a critical issue with their flagship product, Protecht.ERM. Used by government agencies and financial services across APAC, EMEA, and North America, the platform enables seamless integration of risk management into daily operations. However, the existing Roles and Permissions system was poorly structured, with an overwhelming list of over 3000 permissions for each role.

Customers frequently complained about the complexity and poor user experience of the Roles feature. Administrators found it daunting to manually add permissions one by one, making it challenging to activate or monitor active licenses effectively. This disorganized approach made efficient management of access control nearly impossible.

Protecht's implementation specialists and advisers were inundated with requests for assistance in configuring organization roles and permissions. The onboarding process for new customers could take up to nine months, primarily due to these complexities.

Additionally, a new business model that charged customers based on the quantity and types of roles and licenses was initiated, further highlighting the need for improvement.

In the early stages, we conducted in-depth user research to understand how enterprise customers preferred to assign permissions to roles. Key findings included:

• Users needed to maintain granular control over access, especially for sensitive records.
• A quick way to view active permissions for each role was essential.
• An easy method to manage permissions was highly desired.

We collaborated closely with the Lead Architect to ensure a seamless transition of existing customer data into the new system, maintaining data security and integrity throughout the process.

Informed by our research, we focused on creating a logical and intuitive structure for the Roles and Permissions system. Our approach included:

• Defining clear categories of roles and permissions
• Developing a set of rules governing the process of assigning permissions to roles
• Establishing a clear taxonomy to ensure consistency and efficiency in managing access control

We crafted user flows that prioritized intuition and efficiency, always keeping the end user in mind. These flows mapped out the journey of administrators as they created roles, assigned permissions, and managed access control. By visualizing these processes, we identified opportunities to streamline interactions and reduce cognitive load.

The information architecture we developed served as the foundation for our design, ensuring that users could easily navigate the complex system and find the information they needed quickly. This meticulous approach allowed us to create a well-structured and intuitive system that aligned precisely with user needs and expectations.

We tested two distinct design concepts to optimize the Roles & Permissions system:

1. The first concept assigned permissions based on Read/Write or Edit rights, organized by access rights and specific actions for each product module. Administrators could create new rules for granular control.

However, feedback from usability testing showed that this concept fell short of user expectations. Customers found it difficult to understand what permissions were included in the Read/View/Edit groups and were confused by the process of creating new rules without proper visibility. It became clear that we needed to refine our approach.

2. Based on the feedback received, we developed a second concept. This refined design displayed all permissions for each Resource module upfront, grouped to create a clear visual hierarchy. We implemented predefined templates (built-in roles) and added the ability to change permissions visually and flexibly.

Through rigorous usability testing of this second concept, we allowed real users to guide our decisions. Their feedback was invaluable, helping us strike the perfect balance between comprehensive control and user-friendly simplicity.