Access Controls

The right people see the right data. No more, no less.

Access controls aren't just about keeping bad actors out - they're about ensuring every team member has exactly the access they need to do their job, without exposing data they shouldn't see. From field-level permissions to geographic restrictions, Firm App gives you precision control.

Strong Passwords 10+ chars required

MFA Support TOTP authenticators

SSO Integration Enterprise IdPs

Role-Based Granular RBAC

Field-Level Per-field control

Why Fine-Grained Access Matters

In energy management, data sensitivity varies dramatically. A landman needs to see lease terms but shouldn't access accounting records. An AR clerk needs payment history but doesn't need to see legal documents. A regional manager needs Texas data but has no business seeing New Mexico operations.

Blanket "all or nothing" permissions create risk. Give too little access, and people can't do their jobs. Give too much, and you've expanded your attack surface and compliance exposure. The answer is precision: access that matches job function exactly.

Layer 1: Authentication

Before anyone accesses anything, they must prove who they are. Firm App supports multiple authentication methods to match your security requirements.

Strong Passwords

Every password must meet minimum complexity requirements. No weak passwords allowed - period.

10+ characters minimum

Mixed case letters

Numbers required

Special characters

Multi-Factor Authentication

Recommended

Something you know plus something you have. Even if passwords are compromised, accounts stay protected.

TOTP authenticator apps

24-byte SHA1 tokens

Recovery codes

Per-user enforcement

Single Sign-On

Integrate with your existing identity provider. One login for all your enterprise applications.

Enterprise IdP integration

Centralized management

Automatic provisioning

Single logout

Layer 2: Role-Based Access

Roles define what a user can do in the system. Instead of configuring permissions for each individual, assign users to roles that match their job function.

Administrator

Full system access. Configure settings, manage users, access all data and reports.

Full Access

Manager

Expanded access for supervisory roles. Approve changes, view team data, run reports.

Expanded Access

Employee

Standard operational access. Work with assigned records, basic features.

Standard Access

Beyond Default Roles

The three default roles are starting points. Create custom roles that match your organization's structure exactly:

Clone existing roles as templates

Adjust individual permissions

Assign multiple roles to users

Permissions combine (most permissive wins)

What Permissions Control

Each role is a collection of permissions across these categories. Every permission can be set to Allowed, Not Allowed, or Limited (with conditions).

Contacts & Owners

View, create, edit, delete contacts. Control which fields are visible and editable per role.

Employees

Access to staff records, documents, messages, and performance data.

Tickets & Workflows

View, edit, delete tickets. Design workflows. Access ticket reports and analytics.

Owner Accounts

Financial records, payment history, account balances, and statements.

Control Panel

Administrative functions, audit logs, system settings, and management tools.

Reports

Which reports users can run, what data they can export, and what analytics they see.

Layer 3: Field-Level Control

Sometimes role-level access isn't enough. You need to control exactly which fields a user can see or edit, even within records they can access.

Example: Contact Record

Same contact, different views based on role

AR Clerk View

Name

Phone

Payment Method

Manager View

Name

Phone

Payment Method

SSN

Bank Account

Why This Matters

Minimize Exposure

Users only see data relevant to their job function

Regulatory Compliance

Demonstrate need-to-know access for auditors

Insider Protection

Limit damage from compromised accounts

Geographic & Segment Restrictions

Need Texas staff to only see Texas owners? New Mexico operations isolated from Oklahoma? Limited permissions let you restrict access based on any data attribute - state, region, department, product type, or custom criteria.

When a user with geographic restrictions searches, the system automatically filters results. They don't just not see the data - they don't even know it exists. No chance of accidental exposure or curiosity-driven exploration.

IF User role = "Texas Staff"

THEN Only show records where State = "TX"

Texas Staff: Only TX records visible

Session Security

Access controls extend beyond initial login. We monitor and protect active sessions throughout their lifecycle.

Automatic Timeout

Inactive sessions expire automatically. Abandoned browsers don't become security holes.

Device Tracking

See where accounts are logged in. Identify suspicious access patterns.

Force Logout

Terminate sessions remotely when needed - lost devices, terminated employees, or suspicious activity.

Anomaly Detection

Unusual login patterns trigger alerts. Impossible travel, new devices, odd hours.

Complete Audit Trail

Every access, every action, permanently logged

Who accessed what

When they accessed it

What actions they took

Success or failure

Audit logs cannot be modified or deleted. They're your permanent record for compliance reviews, incident investigation, and security audits.

See Access Controls in Action

We'll walk through how to configure roles, permissions, and restrictions that match your organization's security requirements.

Schedule a Demo Back to Security