The Playbook · 2026-07-08

Roles and permissions

by Paul Bappoo

What this is and where it shows up

Every app has users. But not every user should be able to do the same things.

Roles and permissions are how you draw those lines. A role is a label — Admin, Manager, Customer, Staff, Guest. A permission is a rule attached to that label — can view, can edit, can delete, can approve. Put them together and you get a simple truth: who is allowed to do what.

You'll find this in nearly every app worth building. An internal tool where managers approve timesheets but staff only submit them. A client portal where customers see their own data and nobody else's. A SaaS product where free users get basic features and paid users get more. A marketplace where buyers and sellers have entirely different experiences.

The mechanics change, but the question is always the same: if this person clicks that button or visits that page, should the app allow it?

When the answer to that question isn't built deliberately — when it's left to chance, or assumed, or just not thought about — you don't have an app anymore. You have a liability.

Read the rest — free

Free membership unlocks the full article and the PDF download — plus the rest of the series as it lands.

Building something with AI?

Take the free AI Mandate Self-Score at bappoo.com/?selfscore. Or email paul@bappoo.com for a personal review of what you've built — or what you're thinking of building — before it gets expensive.

These articles are general information and opinion, not professional advice. Verify anything important for your own situation — full disclaimer.