Great permissions feel invisible to reviewers and obvious to auditors. This guide gives law-firm teams a clear, copy-paste model for roles, ethical walls, least-privilege habits, and clean off-boarding. It is written for partners, associates, and IT so everyone can run the same playbook.
The 5 roles you actually need
Keep the role model small. Five roles cover almost every matter:
- Owner (firm): Sets standards, creates rooms, manages platform settings, and runs the final archive.
- Manager (matter lead): Designs the folder tree, approves invites, handles exceptions, and signs off at close.
- Contributor (client): Uploads to specific folders, cannot change structure or permissions.
- Viewer – Internal: Firm users who need read access for advice and drafting.
- Viewer – External: Counterparties, bidders, lenders, and regulators with read access only unless a logged exception applies.
Small role sets speed up onboarding and make audits easier to follow.
Ethical walls 101
Ethical walls exist to separate matters and counterparties so that people only see what they should. The cleanest approach is one room per matter, with groups that mirror the outside world.
[ Matter A ] [ Matter B ]
Client A group Client B group
Bidder A group Bidder B group
Regulator A (if any) Regulator B (if any)
Optional: a tiny "Public to all invitees" folder for generic notices only
Avoid recycling old rooms to “save time.” Reuse leads to hidden invites and inherited access that is hard to untangle.
Least-privilege in practice
Least-privilege is not a slogan. It is a list of small habits that keep access tidy without slowing the deal.
- Create groups per counterparty (and per regulator if relevant); grant to groups, not individuals.
- Never grant at the root. Apply rights at the first meaningful folder so boundaries are clear.
- Use Viewer – External as the default; elevate only when there is a concrete need.
- Time-box elevations. When someone needs more access, put an expiry date on it and review next week.
- Add click-through notices on sensitive subfolders to restate NDA limits.
- Require multi-factor authentication for every account, internal and external; prefer phishing-resistant methods. The UK National Cyber Security Centre explains which MFA types stand up best in practice.
- Run a weekly permissions review during heavy phases; fix over-broad access and clean up stale invites on the spot.
If you want a simple reference to convince skeptics, point to the Center for Internet Security’s guidance on Access Control Management, which emphasises granting and revoking rights through a clear process.
Inviting and de-provisioning
A good invitation flow is predictable and quick. Treat removal with the same care as access grants.
Inviting counterparties (checklist)
- Collect name, email, organisation, and the group they belong to.
- Validate the email domain and confirm the group mapping with the Manager.
- Send named invites only. Avoid open links unless a regulator mandates them.
- Set Viewer – External as the default role.
- Include a short welcome note: where to start, the download policy in two lines, and who to contact for help.
- Verify the first login: the user lands in the right starting folder and can open a common file.
De-provisioning at milestones or close (checklist)
- Remove users who drop out or switch sides; disable links they used.
- Freeze uploads at close; export the folder index, Q&A, and activity logs.
- Archive a ZIP of the final folders with filenames exactly as reviewers saw them.
- Save exports into the DMS with a short reader’s guide and revoke all external access.
- Record any exceptions you granted during the matter and who approved them.
If your stakeholders prefer a formal framework, the Cloud Security Alliance’s Cloud Controls Matrix maps identity and access controls to widely used practices and can back up your process notes.
Common permission traps
Five patterns create most permission incidents. Spot them early.
- Inherited access: granting at the root makes every new folder visible by accident. Grant lower in the tree.
- Link forwarding: personal invites reduce forwarding risk. Add link expiry so stray links die quietly.
- Guest re-use across matters: never recycle guests from Matter A into Matter B. Create fresh groups every time.
- Forgotten MFA: one user without MFA is where attackers start. Make MFA a hard requirement, then check it. NCSC
- Stale admins: people move on. Keep the Owner and Manager lists short and current.
One-pager template (copy-paste)
Use this matrix as your default. Adapt only when the matter truly needs it.
Roles
| Role | Who it is | Default access |
|---|---|---|
| Owner (firm) | IT or legal ops | Full control; platform and archive |
| Manager (lead) | Matter lead or delegate | Structure, invites, exceptions |
| Contributor (client) | Named client uploaders | Upload to defined folders only |
| Viewer – Internal | Firm team members | Read access to the team’s folders |
| Viewer – External | Counterparties, lenders, regulators | Read access to allocated folders only |
Permission rules
| Action / Area | Owner | Manager | Contributor | Viewer – Internal | Viewer – External |
|---|---|---|---|---|---|
| Create folders | ✓ | ✓ | ✗ | ✗ | ✗ |
| Upload files | ✓ | ✓ | ✓ | ✗ | ✗ |
| Edit/delete files | ✓ | ✓ | Limited* | ✗ | ✗ |
| Grant/revoke access | ✓ | ✓ | ✗ | ✗ | ✗ |
| View sensitive HR/PII subfolder | ✓ | Limited† | ✗ | Limited† | Limited† |
| Download policy | Policy owner | Enforces | N/A | Follows | Follows |
* Limited = only within assigned upload folders.
† Limited = named reviewers only with documented need; defaults to view-only.
Group model
- Groups: Client, Bidder A, Bidder B, Lender, Regulator.
- Grant at the first meaningful folder, never at the root.
- Add a small “Public to all invitees” folder only if the process requires it, and keep it empty by default.
Least-privilege settings
- Default role for new external users: Viewer – External.
- Elevate access temporarily with an expiry date.
- Require MFA for all accounts; prefer phishing-resistant methods.
- Use link expiry everywhere; renew only when needed.
- Keep a simple exception log: user, folder, reason, approver, expiry.
- Run a weekly review during diligence; remove stale invites and reduce over-broad access.
Invite workflow
- Manager submits names, emails, and groups.
- Owner validates domains and issues named invites.
- Welcome note explains structure and the download policy.
- First-login check confirms the user lands in the right place.
Close-out workflow
- Freeze uploads and permissions.
- Export index, Q&A, and activity logs.
- Archive final folders and store exports in the DMS.
- Remove all external users; disable every link.
- File a one-page reader’s guide and the exception log.
Summary
Access and permissions for a legal data room do not need dozens of custom roles. A compact model with clear groups, least-privilege defaults, MFA, and predictable invites will carry most matters. Back it with tidy exports at close and you will have a process that clients, counterparties, and auditors can understand at a glance. The details above give you a starting template; adjust only where the matter genuinely requires it, then apply the same discipline every time.
