Controlling Access in Membership Systems
23 January 2017 by Michael Stannard, Senior Developer
One of the biggest challenges in building a membership system is in managing user permissions.
Depending on the size and scope of your organisation, you may have very different needs in terms of controlling access to content and functionality.
With a large membership that is split into 'tiers', for instance junior vs. senior members, then your website might be organised so that your permissions model can be understood intuitively:
- The public facing website is accessible to everyone.
- Members then log into a 'Member's Area' where they can manage their account and subscription payments, and see unrestricted features.
- There may then be areas within that such as forums, directories of member contact information and other benefits which are only visible to certain categories of member.
- Finally, there may be designated senior members who also need features to help them run the organisation as a whole, for instance meeting diaries. These may need to be very carefully secured if they involve commercially sensitive or personal information.
On top of this, you may then need to include additional layers of 'roles' for website administrators, who might only manage specific features (for example forum moderators or content editors).
These may or may not match up to the membership categories - an administrator might not even be a member at all - so you would need to be consistent about how you let admin rights grant access to areas that a user otherwise wouldn't be able to see.
This is one of the most common ways that loopholes get introduced - a certain combination of rights might give access that doesn't match up to your organisation's rules.
This is why it's so important to spend time working out what different stakeholders must get out of your membership system, so that everyone can be given the features which fit their needs without compromising on security.