Skip to main content
FeaturesTemplatesPricingBlogToolsAbout
Book a DemoGet Early Access
Practice Operations

Role-Based Access in Legal Software: Who Sees What

Not everyone at your firm should see everything. Here's how to set up role-based access in your legal software without creating bottlenecks.

ModernLawOfficeMarch 15, 202611 min read

When you are the only person at your firm, permissions do not matter. You see everything because there is nothing to hide from yourself. The moment you add a second person — a paralegal, a virtual assistant, a contract attorney, a part-time bookkeeper — the question of who should see what becomes real.

And most small firm attorneys answer that question wrong. They either give everyone full access to everything (the path of least resistance) or restrict access so aggressively that staff cannot do their jobs without asking the attorney to look something up every hour (the path of maximum frustration).

Both approaches create problems. Full access means your virtual assistant can see every client's financial records, your paralegal can read engagement letters for matters they are not working on, and anyone with access to your practice management system can see your firm's revenue numbers. Excessive restriction means every task requires your involvement, which defeats the purpose of having staff.

Role-based access is the solution: define what each role needs to see and do, configure your software accordingly, and let people work independently within appropriate boundaries.

Why This Matters More Than You Think

Ethical Obligations

Rule 1.6 of the Model Rules of Professional Conduct requires attorneys to make reasonable efforts to prevent unauthorized disclosure of client information. "Reasonable efforts" includes controlling access to client data within your own firm.

If your paralegal has unrestricted access to every matter in your system — including matters they are not working on — and accidentally (or intentionally) discloses information from a matter they should not have accessed, you have an ethics problem. Not because the paralegal violated a rule (they are not bound by the Rules of Professional Conduct), but because you failed to implement reasonable safeguards.

This is especially important when matters involve sensitive information: trade secrets, medical records, financial data, domestic violence situations, or matters where the existence of the representation itself is confidential.

Practical Risk Reduction

Beyond ethics, access control reduces practical risks:

  • Accidental modifications. A staff member working in the wrong matter file can accidentally modify or delete documents from a case they are not involved in.
  • Data exposure during offboarding. When a staff member leaves your firm, knowing exactly what they had access to is important. If they had access to everything, your exposure assessment is "everything."
  • Scope creep. Without defined access boundaries, staff members may take actions they are not authorized to take — not out of malice, but because the system allowed it and the boundaries were never communicated.

Warning

When a staff member leaves your firm, revoke their access immediately. Not tomorrow. Not after they return the laptop. Immediately. The delay between a departure and access revocation is a window of risk that is entirely preventable.

Common Roles and What They Need

Attorney (Full Access)

The managing attorney or sole practitioner typically needs access to everything: all matters, all contacts, all financial data, all administrative settings. This is the administrative role. In a solo practice, this is you.

In a multi-attorney firm, each attorney needs full access to their own matters and may need limited access to other attorneys' matters (for cross-coverage, for example). Sensitive matters — where one attorney is representing a client adverse to another attorney's client within the same firm — require ethical walls, which are the strictest form of access control.

Paralegal

A paralegal working on specific matters needs access to those matters: documents, contacts, calendar events, tasks, and communications within the matters they are assigned to. They typically do not need access to:

  • Matters they are not assigned to
  • Firm-level financial reports and revenue data
  • Billing rates and fee agreement details (unless they handle billing)
  • Administrative settings and user management
  • Other staff members' time entries and performance data

The key principle: a paralegal should be able to do everything their job requires without needing to ask the attorney to look something up, but they should not be able to access information outside their scope of responsibility.

Virtual Assistant

A virtual assistant typically handles scheduling, phone calls, basic correspondence, and administrative tasks. They need access to:

  • Calendar (to schedule and confirm appointments)
  • Contact information (to look up client phone numbers and emails)
  • Task lists (to track their own assignments)
  • Matter names and basic status (to answer client questions like "is my file still active?")

They typically do not need access to:

  • Document contents within matters
  • Financial records, billing data, or trust account information
  • Privileged communications
  • Detailed matter notes and case strategy

Bookkeeper or Accountant

A bookkeeper needs access to financial data: invoices, payments, trust account transactions, operating account transactions, and financial reports. They do not need access to the substance of any matter — the legal work, the documents, the client communications, or the case strategy.

This role highlights why matter-level financial data should be separable from matter-level legal data. A bookkeeper reviewing your accounts receivable does not need to read the engagement letter to know that a client owes money.

Contract Attorney

A contract attorney working on specific matters needs access to those matters only. Their access should be equivalent to a paralegal's access on the assigned matters and zero access to anything else. When the engagement ends, their access is revoked entirely.

Tip

Document your access decisions. A simple table showing each role, what they can access, and what they cannot access serves two purposes: it guides your software configuration, and it demonstrates to any future ethics inquiry that you made deliberate, reasonable access control decisions.

Configuring Access in Practice Management Software

Most modern practice management platforms support some form of role-based access control. The specifics vary by platform, but the general approach is consistent.

User Roles

Create a role for each category of user at your firm. Most platforms come with default roles (Administrator, Attorney, Paralegal, etc.) that you can customize. Review the default permissions for each role and adjust them to match your access decisions.

Matter-Level Permissions

Some platforms allow you to set permissions at the matter level — meaning you can grant or restrict access to specific matters for specific users. This is important for:

  • Ethical walls: Preventing an attorney or staff member from accessing a matter that creates a conflict
  • Sensitive matters: Restricting access to matters involving particularly sensitive information
  • Contract staff: Granting temporary access to specific matters for the duration of an engagement

Feature-Level Permissions

Beyond matter access, platforms typically allow you to control access to specific features:

  • Billing and financial reports: Restrict to attorneys and bookkeeper
  • Administrative settings: Restrict to the managing attorney
  • User management: Restrict to the managing attorney
  • Client portal settings: Restrict to the managing attorney or designated administrator
  • Report generation: Restrict based on report type (financial reports to bookkeeper, matter reports to assigned staff)

The Configuration Process

  1. List every user who accesses your practice management system
  2. Assign each user to a role (attorney, paralegal, virtual assistant, bookkeeper, contract attorney)
  3. For each role, define access to matters, features, and data categories
  4. Configure the software to match your access decisions
  5. Test by logging in as each role and verifying that the access matches your design
  6. Document the configuration for reference and for onboarding new staff

Ethical Walls

An ethical wall (also called a "screen" or "Chinese wall") is the strictest form of access control. It prevents a specific person from accessing any information about a specific matter — typically because their access would create a conflict of interest.

The most common scenario: your firm hires a paralegal who previously worked at a firm that represented a party adverse to one of your clients. The paralegal may have confidential information about the adverse party from their previous employment. An ethical wall prevents the paralegal from accessing any matter involving that adverse party at your firm.

An ethical wall requires:

  • System-level access restriction. The screened person cannot access the matter in your practice management system. They cannot view documents, contacts, calendar events, or any other matter data.
  • Physical or practical separation. The screened person should not be present for discussions about the matter. They should not have access to physical files related to the matter.
  • Documentation. The wall should be documented in writing, including the reason for the wall, the person screened, the matters affected, and the date the wall was implemented.
  • Acknowledgment. The screened person should acknowledge in writing that they understand the wall and their obligation not to access information about the affected matters.

If your practice management platform does not support matter-level access restrictions, you have a gap in your ethical wall infrastructure. This is a meaningful limitation that should factor into your platform selection.

Common Mistakes

Giving everyone admin access. The default when adding a new user is often to give them the same access level as the last person you added — which is often full administrative access. Every new user should be added at the minimum required access level and elevated only if their role requires it.

Not reviewing access when roles change. A paralegal who is promoted to office manager needs different access — potentially more administrative access but potentially less matter-specific access. A staff member who transfers from one practice group to another needs access to different matters. Access should be reviewed whenever a role changes.

Forgetting about shared accounts. If multiple people share a login (which you should avoid entirely), access control is meaningless. Every person who accesses your systems should have their own account with their own credentials and their own permissions.

Ignoring cloud storage permissions. If your document management is separate from your practice management system — for example, you use Google Drive for documents and Clio for matter management — the access controls must be consistent across both systems. Restricting a paralegal from a matter in Clio while leaving the matter folder in Google Drive accessible to everyone defeats the purpose.

Not training staff on boundaries. Access control is a technical measure, but it works best with a cultural complement. Staff should understand why access is restricted — not as a lack of trust, but as an ethical and professional obligation. When people understand the reason, they are more likely to respect boundaries even when the technology does not enforce them perfectly.

Getting Started

If you currently have staff with unrestricted access to your systems, here is how to implement role-based access without disrupting operations.

  1. Audit current access. Log into your practice management platform as an administrator and review what each user can currently access.

  2. Define roles and permissions on paper. Before changing any settings, decide what each role should access. Get this right on paper before you touch the software.

  3. Communicate changes. Tell your team what is changing and why. "I'm implementing access controls to comply with our ethical obligations and protect client information" is the right framing. Not "I don't trust you."

  4. Implement changes during a low-activity period. Do not restructure access permissions on a Monday morning when everyone is trying to work. A Friday afternoon or weekend gives you time to troubleshoot without disrupting operations.

  5. Test thoroughly. Log in as each user role and verify that they can do their job. If a paralegal cannot access a matter they are assigned to, the configuration is wrong. Fix it before Monday.

  6. Document everything. Record your access control decisions, your software configuration, and the date of implementation. This documentation is your evidence of reasonable efforts to protect client information.

Role-based access is one of those operational decisions that feels like overhead until something goes wrong. The time to implement it is before that something happens — when it is a configuration project, not a crisis response.

For more on managing staff in a small firm, see our guide to hiring your first paralegal or virtual assistant. For broader security practices, read cybersecurity for attorneys.

Early Access

Join the Waitlist

Be first to access ModernLawOffice when we launch — built for solo attorneys and small firms.