Access Control Best Practices: Giving the Right People the Right Permissions
Why over-permissioning is a risk, and how to design role structures that protect sensitive student and staff data across your school's platforms.
Access control is one of the most practical and impactful data governance decisions a school makes. Get it right, and sensitive information stays protected, staff have what they need to do their jobs, and audits are straightforward. Get it wrong - most commonly by granting too much access to too many people - and the school faces both security risks and compliance exposure.
This guide is for school admins and IT managers responsible for configuring and maintaining user permissions in platforms such as ManageBac+, OpenApply, Atlas, and SchoolsBuddy. The principles here apply broadly, regardless of which systems your school uses.
The principle of least privilege: every user should have access to the minimum data and functionality they need to do their job - nothing more. This is the foundation of effective access control.
The Problem With Over-Permissioning
Over-permissioning - granting access beyond what a role requires - is the most common access control mistake in schools. It typically happens because it is easier to grant broad access than to configure it carefully, especially under time pressure during a system rollout.
The risks include:
- Accidental data exposure - a teacher who can see all student medical records, not just those in their own classes
- Unintended data modification - a staff member who can edit records they should only be able to view
- Compliance risk - under GDPR, PDPA, and similar regulations, access to personal data must be limited to those with a legitimate need
- Difficulty auditing - when permissions are loosely assigned, it becomes very hard to determine who accessed what data and when
Over-permissioning is also self-compounding: once broad access is granted, it tends to persist. Without an active review process, permissions granted during onboarding rarely shrink over time - they only grow.
Designing Role-Based Access
The most effective approach to access control in school platforms is role-based access control (RBAC): permissions are assigned to roles, and users are assigned to roles, rather than configuring permissions individually for each person.
Well-designed roles in a school context typically follow the pattern of job function plus data scope:
| Role Type | Typical Access Scope | Example |
|---|---|---|
| School Administrator | Full read/write across all modules in their remit | Registrar managing all student records |
| Department Head | Read/write for their department; read-only for school-wide data | Head of Maths viewing all Maths class data only |
| Class Teacher | Read/write for their own classes only | Teacher entering grades and attendance for assigned classes |
| Admissions Officer | Full access to applicant data; no access to enrolled student records | Admissions staff working in OpenApply only |
| Read-Only Viewer | View access to specific reports or dashboards only | School director reviewing aggregate academic data |
Roles should be defined before users are added to the system - not configured on the fly as each person is onboarded. This prevents inconsistency and makes future audits much simpler.
Conducting a Permissions Audit
A permissions audit is a scheduled review of who has access to what, and whether that access is still appropriate. Schools that conduct regular audits catch permission drift - the gradual accumulation of access rights that no longer reflect a person's current role - before it becomes a compliance issue.
A basic permissions audit should cover:
- Active users - confirm that everyone with an active account is still employed at the school in the relevant role
- Role accuracy - verify that each user's assigned role matches their current job function
- Elevated permissions - review any users with administrator or super-user access and confirm this level is still required
- Inactive accounts - identify accounts that have not been accessed in the past 90 days and investigate whether they should be deactivated
- Shared accounts - flag any accounts shared between multiple people, which make auditing and accountability impossible
Aim to conduct a full permissions audit at least once per academic year - ideally at the start, when staff changes are most common. A lighter mid-year review is also worthwhile for large schools.
Sensitive Data Categories That Warrant Extra Care
Not all data carries the same risk. Some categories of student and staff information require tighter access controls than standard academic records. In most jurisdictions, these include:
- Medical and health information - allergies, conditions, medications; access should be limited to designated welfare staff and relevant teachers
- Learning support and SEND records - special educational needs documentation; typically restricted to the SENCO, relevant teachers, and the student's parents
- Behavioural and pastoral records - incident logs and counselling notes; access should follow a clear policy rather than being available to all staff
- Financial information - fee status and payment records; typically restricted to finance and senior administration
- Applicant personal data - in OpenApply, applicant information before enrolment should be accessible only to admissions staff, not the broader school community
Review whether your current platform configurations appropriately restrict access to these categories. FariaSupport can advise on specific permission settings within your platform setup.
Tips and Considerations
- Never use shared or generic accounts - every user should have their own login; shared accounts make it impossible to track who accessed or changed data
- Document your role definitions - a written record of what each role can and cannot access is essential for audits and for onboarding new staff consistently
- Treat temporary staff carefully - supply teachers, contractors, and short-term staff should receive time-limited access that expires or is reviewed promptly at the end of their engagement
- Log and monitor where possible - many platforms provide access logs; enable and review these periodically, particularly for users with elevated permissions
In Summary
- Apply the principle of least privilege: every user gets the minimum access needed for their role, nothing more.
- Design role-based access structures before onboarding users - not on an ad-hoc basis per person.
- Conduct a full permissions audit at least annually, and a lighter mid-year review for large schools.
- Apply extra restrictions to sensitive data categories including health, SEND, pastoral, and financial records.
Well-configured access control in ManageBac+, OpenApply, Atlas, and SchoolsBuddy protects student and staff data and makes your school significantly more defensible in the event of a compliance review. Contact FariaSupport for guidance on role configuration within your specific platform setup.