HubSpot Role Based Access Control
HubSpot introduced roles & permissions about 4 years ago. In doing so, they enabled their customers to provide role based access control to application functionality.
What they do well:
They’ve done a nice job of clearly documenting the permissions assigned to each role.
Integration with user invitation flow
As an account admin you select the role of the user as step 2 of the invite flow:
Account permissions that would potentially give the user full access are separated from the standard roles and are defaulted to non-admin status (reducing the likelihood of just moving ahead with defaults and making many admins).
Role names & more info
Standard account roles (ie “Marketing”) have been given fairly descriptive names & the link to the full documentation provided for more details.
Within roles there are sub-permissions for various types of application actions. Ultimately they’ve selected 3 different permission types for each. Write & Publish, Write Only, Read Only.
Integrated into the user list
The user list clearly illustrates the role of each user at a glance. The list can be filtered by role types. Admins can easily edit permissions of users anytime.
Overall - Simplicity
They’ve accomplished a fairly complex task of defining roles/permissions and made it a native and intuitive process.
Where they’ve missed the mark.
Lack of flexibility & control
The simplicity of predefined roles makes it incredibly easy to get started, but it also lacks the power and flexibility of a system that allows admins to create custom roles. In fact, this is the most popular “Help & Settings” request from their customers.
Permission enforcement messaging
There are also issues with the implementation of how permissions are enforced. Users without the permission to add users can still visit the page (however they see a users list).
They can even begin the flow to add users, but since they can’t select roles they can’t make it further.
Similar issues come up when trying to access a section for creating a blog post. Except this time, the user can take the action but then gets an error message.
At no point are any of these users shown messaging that would indicate that they don’t have the required permissions to accomplish the task they’re attempting. Alerts with this message are lacking and will likely end up with confused users.