RehlaRehla User Manual
Roles & permissions

Best practices

Recommendations for secure role management

Designing a secure and efficient role system is crucial for protecting your data. Follow these best practices to keep your agency's access controls tight and manageable.

Principle of least privilege

The most important security rule: only give employees the exact permissions they need.

Use descriptive role names

Clear names make it easy to understand who has access to what.

Separate sensitive duties

No single role should control both financial operations and user management.

Principle of least privilege

This is the most important security rule: only give employees the exact permissions they need to do their job, and nothing more.

  • Why?: it minimizes accidental data loss (e.g., a junior agent accidentally deleting a trip) and reduces security risks.
  • How?: start with a basic role and add permissions only when an employee specifically requests them for a valid task.

Use descriptive role names

Role names should clearly communicate their purpose at a glance. Avoid generic names like "Role 1" or "Test".

  • Good examples: "Senior Agent", "Finance Manager", "Booking Coordinator"
  • Bad examples: "Role 2", "New Role", "Temp"

A well-named role makes it immediately obvious what level of access it grants, which simplifies onboarding and audits.

Avoid sharing accounts

Every employee should have their own individual account. Sharing login credentials between team members undermines your entire security model.

  • Accountability: when multiple people share an account, you cannot determine who performed a specific action in the Audit Logs.
  • Revocation: if a shared account needs to be disabled, it affects everyone using it.

Separate duties for sensitive operations

Avoid giving a single role full control over both financial operations and user/role management. Splitting these responsibilities across different roles reduces the risk of misuse.

  • Finance permissions (viewing balances, processing withdrawals) should be restricted to a dedicated finance role.
  • Role management permissions (creating roles, assigning permissions) should be limited to administrators.
  • National ID Vault access should only be granted to employees who specifically need it.

Regular audits

Review your roles periodically (e.g., every quarter).

  • Does the 'Intern' role really need access to client data?
  • Are there old test roles that should be deleted?
  • Has an employee changed positions and now has permissions they no longer need?

A quick review every few months can catch permission drift before it becomes a security issue.

Exporting roles

How to export role definitions and permission sets

Finance

Managing your earnings and payments

On this page

Principle of least privilegeUse descriptive role namesAvoid sharing accountsSeparate duties for sensitive operationsRegular audits