After researching what customisability meant for our different clients, we concluded that organisations needed the ability to create and assign custom roles to their users, ensuring precise access control. To start, I brainstormed where this feature would fit within the platform, identifying the User Management settings page as the most appropriate location, and envisioned how the flow might look.
In the initial phase, I sketched various wireframes and shared them with the wider team for input and feedback. I focused on two critical aspects of the flow:
1. Deleting a Role: I designed a feature allowing users to choose a replacement role for any role they wanted to delete if it was currently in use. This way, users wouldn’t need to manually reassign roles before deleting an obsolete one.
2. Restricted Access: For users trying to access something beyond their permissions, we initially considered a dynamic approach based on the specific action. However, to deliver quickly, we opted for a ‘warning’ page. This page informs the user that they lack the necessary permissions, specifies which permissions are required, and provides information on who to contact for access.
These solutions were designed to streamline the user experience while maintaining robust access control and customisability.
As we explored the different permissions available for each role, we realised the list was growing unwieldy. To manage this effectively, we categorised the permissions into Supplier Permissions, Client Permissions, Settings Permissions, and Federated Permissions for organisations with federated accounts. We also added a search function for users to quickly find specific permissions.
To streamline the process further, when users click the ‘create role’ button, they see a list of predefined roles that they can use as templates. This makes it faster and easier to set up roles by allowing users to review and tweak only the specific permissions they need.
This implementation was not only for our clients but also for our internal Risk Ledger accounts, where our internal users could perform additional admin-related actions. Throughout the implementation phase, I received invaluable feedback from our engineers and product manager, which was incorporated at various stages to ensure a smooth rollout of the feature.
Although the feature was initially hard to find, as many users don’t visit the Settings page frequently, those who discovered it used it with great success. I participated in several client calls, both for training and research, and received positive feedback on the ability to perform detailed actions. While there is still room for improvement, particularly around the permission-setting step, the first iteration of this advanced customisability was well-received by both clients and our internal team.
