Building permissions into your application the right way from day one
You've seen it before. Maybe you've even built it.
One login. One password. Everyone uses the same credentials. You track "who did what" by IP address and hope for the best.
It works... until it doesn't. And when it fails, it fails hard.
The Problem with Shared Accounts
Shared account authentication is the path of least resistance during development. One set of credentials, no user management, ship it and move on.
But here's what you're actually building:
-
No accountability - You can't tell who did what. The audit log says "admin" performed an action, but which human was that?
-
IP tracking is worthless - DHCP leases change. People move desks. VPNs exist. Remote work happened.
-
One breach = total breach - If credentials leak, everyone's access is compromised. You can't revoke access for one person without changing the password for everyone.
-
No least-privilege - Everyone has the same access level. The intern has the same permissions as the senior engineer.
-
Audit trails are fiction - When regulators or security teams ask "who accessed this data?", you're guessing.
I recently wrote up a full proposal document breaking down exactly why this model fails and how to fix it. This post covers the key points.
The Fix: Per-User Authentication with Role-Based Access
The solution isn't complicated. It's just more work upfront. Every user gets:
- Their own credentials - Unique username and password
- An assigned role - Viewer, Editor, Admin, etc.
- Environment-specific permissions - Different access in DEV vs PROD
What This Gets You
| Shared Account | Per-User + Role |
|---|---|
| "Someone" did it | user1 did it at 2:47 PM |
| Can't revoke one person | Disable one account instantly |
| Everyone has full access | Least-privilege enforced |
| IP-based guessing | Identity-based certainty |
| Audit log is useless | Full accountability trail |
How It Works in Practice
Login Validation Flow
When a user logs in, the system validates:
- Credentials - Is the username/password correct?
- Role authorization - Is this user allowed to request this permission level?
- Environment access - Can this user access this environment (DEV/TEST/PROD)?
If any check fails, access is denied and the attempt is logged. No fallback to a shared account. No "well, they got the password right so let them in."
Role Capabilities
Roles should be additive and clearly defined:
| Role | Read | Write | Delete | Admin |
|---|---|---|---|---|
| Viewer | Yes | No | No | No |
| Editor | Yes | Yes | No | No |
| Manager | Yes | Yes | Yes | No |
| Admin | Yes | Yes | Yes | Yes |
A Viewer can look but not touch. An Editor can modify but not destroy. This is least-privilege in action.
Environment-Specific Roles
Here's the part most devs miss: a user's role can differ by environment.
| User | DEV | TEST | PROD |
|---|---|---|---|
| user1 | Editor | Editor | Viewer |
| user2 | Admin | Admin | Editor |
| user3 | Viewer | Viewer | None |
user1 can break things in DEV all day. But in PROD? Read-only. This is intentional. Production should always carry the most restrictive access.
If user1 tries to log into PROD as Editor, the system denies access and logs the attempt. Under a shared account model, this escalation attempt would be invisible.
What Gets Logged
With individual accounts, every action generates a log entry tied to a specific person:
2026-02-12 09:15:32 | user1 | PROD | Viewer | LOGIN_SUCCESS
2026-02-12 09:16:01 | user1 | PROD | Editor | LOGIN_DENIED (unauthorized role)
2026-02-12 09:45:12 | user2 | PROD | Editor | RECORD_UPDATED | record_id=4521That second line is critical. user1 tried to escalate to Editor in PROD but was denied. You now have visibility into attempted privilege escalation. With shared accounts, you'd never know this happened.
Implementation Considerations
Before you start coding, answer these questions:
- User Provisioning - Who creates accounts? Self-service? Admin-only? Tied to Active Directory/LDAP?
- Password Policy - Complexity requirements? Rotation? MFA support?
- Role Assignment - Who decides which users get which roles? Approval workflow?
- Session Management - Timeout thresholds? Concurrent session limits? Forced logout on role change?
- Migration Plan - How do you move from shared accounts without breaking current operations?
TL;DR
| Question | Answer |
|---|---|
| Why are shared accounts bad? | No accountability, no least-privilege, one breach = total breach |
| What's the fix? | Per-user credentials with role-based access control |
| What about IP tracking? | Useless. DHCP, VPNs, and remote work killed it. |
| Should roles differ by environment? | Yes. PROD should always be most restrictive. |
| Is this more work? | Yes. But the alternative is a security incident waiting to happen. |
Resources
- Full Proposal Document - Complete breakdown with mockups and validation flow
- OWASP Authorization Cheat Sheet - Industry best practices
- NIST Digital Identity Guidelines - Federal standards for authentication