Databus Logo
Blog Login →
DPDP Act 2023 · POCSO 2012 · JJ Act 2015 · 500+ schools 🇮🇳

Role-Based Access Control for Indian K-12 School ERPs

The receptionist shouldn't see payroll. The accountant shouldn't see medical histories. Most school ERPs let everyone see everything.

This module owns the role definition + permission catalogue for SchoolDeck — what every named staff role can View, Create, Edit, Approve or Export per module, with row + field scope. The cross-campus API-level branch fencing is at /features/multi-branch/. The immutable forensic trail of who-changed-what is at /features/audit-logs/. Maker-Checker on financial transactions is at /features/finance-management/.

Unlimited custom roles — not just Admin / Teacher / User. Class Teacher sees their 40 students; Transport Coordinator sees addresses and bus routes (not medical or income); Junior Accountant creates vouchers but can't approve; Counsellor sees welfare notes that no other role can.

Book a demo to see the role catalogue See how it works

Role-based access control for schools is the discipline of defining named staff roles and setting module-by-module permissions for each — what they can View, Create, Edit, Delete, Approve and Export. SchoolDeck's RBAC module owns the role catalogue; the forensic audit trail of who did what is owned by the audit-logs module. Aligned with DPDP Act 2023 Data Fiduciary obligations.

Unlimited
Custom roles
per school
Row+Field
Scope control
per role
1-click
Deactivation on
staff resignation
DPDP
Phase III ready
by May 13, 2027

Pre-built role catalogue

Eleven Indian-school roles, pre-built. Plus unlimited custom.

Every Indian K-12 school has roughly the same shape — Principal, Vice-Principal, Coordinator, Class Teacher, Subject Teacher, Junior Accountant, Finance Head, Admissions Officer, Transport Coordinator, Librarian, Counsellor. SchoolDeck ships sensible defaults for each. You customise from there.

Role Sees + can do Cannot see + cannot do
Principal All operational data, approve fee waivers, approve mark corrections post-deadline Delete audit logs (no role can — that's by design)
Vice-Principal Academic data school-wide, discipline records, parent communication Payroll, vendor contracts, audit log review
Academic Coordinator Syllabus tracker, lesson plan review, exam scheme — all sections of one grade level Fee data, payroll, vendor records
Class Teacher Their assigned class's students — academic, attendance, homework, behaviour notes Other classes, fees, medical, parent income, payroll
Subject Teacher Subject grades + lesson plans for sections they teach Other subjects, fees, medical, full attendance
Junior Accountant Create fee receipts, draft expense vouchers, view fee ledger Approve vouchers (Maker-Checker — Finance Head approves)
Finance Head / Treasurer Full Trust finance — P&L, Tally bridge, approve all Maker-Checker Student medical, exam mark edits, delete audit logs
Admissions Officer Lead CRM, enquiry pipeline, prospectus fee receipts Existing students' academic records, payroll, P&L
Transport Coordinator Student name, class, home address, bus route, transport fee status Academic marks, medical, parent income, full fee ledger
Librarian Student names, library issue history, overdue records, OPAC management Fees, medical, academic marks, transport
Counsellor Welfare notes (JJ Act Sec 41-42 protected), wellbeing check-ins Fees, payroll, marks edits — welfare notes visible only to counsellors

Every default is editable; every role is cloneable. The Audit Log records every permission edit — see /features/audit-logs/.

Four problems with "Admin / Teacher / User" school ERPs

What goes wrong when three roles aren't enough.

Every legacy Indian school ERP ships with two or three hardcoded roles. The reality of a 4,000-student school needs 15.

🔑

Pain 1 · Shared admin

"admin@school.com" — known by five people.

The accountant, the receptionist, the head clerk, the transport coordinator and sometimes the principal's PA all share the same login because the alternative roles in the ERP are too restrictive for daily work. When a fee receipt gets modified or a mark gets changed, every action is logged under "admin" — and forensic accountability drops to zero. The Trust's CA can see the change. They cannot tell who made it.

👀

Pain 2 · Excessive visibility

A transport coordinator who can read medical records.

The transport coordinator legitimately needs the home address for bus routing. The system, however, shows the entire student profile — including medical allergies, blood group, parent income certificate, and Aadhaar. Under the DPDP Act 2023, that excess visibility is a Data Fiduciary compliance failure — regardless of whether the coordinator ever actually looks at the medical data.

👋

Pain 3 · The resignation gap

Days of vulnerability after a difficult exit.

A senior accountant resigns under acrimonious circumstances. The shared admin password is the only mechanism to lock her out — and changing it means informing seven other staff of the new credential. In the 48 hours that takes, she has access to download fee records, export staff payroll, or alter ledger entries. A one-click role deactivation on her individual login would have closed the window instantly. The shared credential prevented it.

📋

Pain 4 · CA audit visibility

Sharing full admin credentials with the external CA.

The external CA needs to review fee ledgers and expense vouchers for the annual audit. The Trust hands over the admin login. The CA can now also see staff salaries, parent contact details, student medical records — none of which they need. After the audit, the password sometimes never gets rotated. A time-limited view-only auditor role would solve this in one configuration. Most legacy ERPs simply don't have that role.

Built on verified frameworks

Indian child-data protection law, line by line.

Six specific Indian regulations govern how a school handles minor-student data. SchoolDeck's role catalogue maps to each — not in marketing copy, in named clauses.

DPDP Act 2023

Data Fiduciary obligations

Assented August 11, 2023. Phase III full-compliance deadline May 13, 2027. Schools are classified as Data Fiduciaries for minor-student personal data. Verifiable parental consent required. Reasonable security safeguards mandated — RBAC is the technical guardrail.

POCSO Act 2012

Background-check role gate

Protection of Children from Sexual Offences Act. Requires background-check clearance for staff with direct student contact. SchoolDeck's role catalogue can gate student-contact-role assignment behind a POCSO clearance flag on the staff profile.

JJ Act 2015 Sec 41-42

Child welfare records protected

Juvenile Justice (Care and Protection of Children) Act, Sec 41-42. Child welfare records are restricted-access. SchoolDeck's Counsellor role sees these notes; no other role does — not even the Principal without explicit elevation.

NCPCR 2021 Guidelines

Child rights in schools

National Commission for Protection of Child Rights — 2021 school safety and protection guidelines. Includes data-handling standards for student personal information. SchoolDeck's role catalogue implements need-to-know access for all minor-student data.

CBSE Affiliation Bye-Laws

Chapter 9 — Staff roles

Chapter 9 defines the named roles a CBSE-affiliated school must staff (Principal, Vice-Principal, PGT, TGT, PRT, Coordinator, Counsellor, Librarian). SchoolDeck's pre-built role catalogue mirrors this nomenclature so the role names in the ERP match the inspection vocabulary.

In Loco Parentis

Legal duty of care

Indian common-law principle — schools stand in the place of parents during school hours and (for boarding) all hours. This creates a duty of care extending to data handling. Knowing exactly which staff can see what is a foundational element of fulfilling that duty.

References: DPDP Act 2023 (Phase III 13.05.2027) · POCSO Act 2012 · JJ Act 2015 Sec 41-42 · NCPCR 2021 Guidelines · CBSE Affiliation Bye-Laws Ch. 9 · In Loco Parentis (Indian common law)

"
I learnt this from a vendor invoice I should never have seen. Eighteen months ago, my admissions counsellor mentioned in passing that the new printing-press invoice looked high. She knew the amount because she had stumbled into the expense module while looking for the prospectus PDF. Three menus over, she could see every cheque the Trust had issued that year. Nothing malicious — she was looking for a printable file and the menu was right there. But she was an admissions counsellor. She had no business knowing what we paid our auditors or our cleaning contractor. That night I sat with the previous ERP's role settings and realised they had two roles: Admin, and User. There was no realistic configuration where she could do her admissions work without seeing the entire Trust. We migrated to SchoolDeck four months later. The first thing I asked for was a custom role called "Admissions — Senior" that could see the enquiry CRM and the prospectus fee module and absolutely nothing else.
B
Mr. Bhavin Mehta
Founder + Trust Director · 3-campus CBSE+ICSE Trust, Ahmedabad, Gujarat · 4,200 students total · Migrated February 2025

What is role-based access control for schools?

Role-based access control is the discipline of defining named staff roles in a school ERP — Principal, Vice-Principal, Coordinator, Class Teacher, Subject Teacher, Junior Accountant, Finance Head, Admissions Officer, Transport Coordinator, Librarian, Counsellor, custom — and setting module-by-module permissions for each: View, Create, Edit, Delete, Approve, Export. Each role carries row-level scope (which student records it can see) and field-level scope (which fields within a record are visible). Staff members are then assigned to roles.

The SchoolDeck RBAC module owns one specific layer: the role definition and permission catalogue. What every named role can do, and at what scope. It does not own the audit watching (that's at /features/audit-logs/ — the immutable record of who actually did what). It does not own the cross-campus branch fencing (that's at /features/multi-branch/ — how a Branch A Principal's session is scoped to Branch A's data partition at the API level). It does not own Maker-Checker dual control on financial transactions (that's at /features/finance-management/ — payment voucher Maker + Checker workflow). Four complementary security layers, one access architecture.

The permission grid — module-by-module, six actions per cell

Every SchoolDeck module is represented in the role's permission grid. For each module the role can be granted up to six actions:

  • View: Can open and read records in this module.
  • Create: Can add new records.
  • Edit: Can modify existing records.
  • Delete: Can soft-delete records (hard delete is reserved to Super Admin and always logged).
  • Approve: Can approve workflows that other roles initiated — e.g. fee waiver requests, expense vouchers, mark corrections.
  • Export: Can download data as CSV / PDF / Excel. Export is the action with the highest data-exfiltration risk — schools often grant View and Edit but withhold Export for everyone below the Vice-Principal level.

A Junior Accountant in a typical Indian school is granted: Fees module — View, Create, Edit, Export; Expense module — View, Create (but not Approve); all other modules — nothing. A Counsellor: Students module — View limited to own counselling caseload; Counselling Notes module — View, Create, Edit; all other modules — nothing.

The Trust HR or Super Admin sees the role grid as a matrix and ticks boxes. Three minutes to define a new role from scratch.

Row-level scope and field-level scope — both matter

Two distinct scope dimensions decide what a role can actually see in the data.

Row-level scope controls which student records the role can access at all. A Class 9-A teacher with row-scope = own class sees the 40 students in 9-A — the other 1,960 students in the school are not searchable, not viewable, not even auto-completing in a search box. They are mathematically invisible to that role's queries.

Row-scope options:

  • Own class: Only students in the role-holder's assigned section. Default for Class Teacher.
  • Own grade: All sections of the role-holder's assigned grade. Default for Academic Coordinator.
  • Own department: All students taking subjects in a department. Default for HOD.
  • Own branch: All students in the role-holder's branch — combined with the API-level partition from /features/multi-branch/.
  • School-wide: Everyone. Default for Principal.
  • Custom filter: Arbitrary criteria — e.g. "students enrolled in the boarding house" for the Hostel Warden role.

Field-level scope controls which fields within a record are visible to the role. A Transport Coordinator legitimately needs the student's name, class, home address and bus route — but their role's field scope hides the medical-allergy field, Aadhaar number, parent income certificate, fee outstanding, academic marks. The same student record renders differently to different roles. This is the SchoolDeck implementation of DPDP Act 2023's purpose-limitation principle in software.

DPDP, POCSO, JJ Act — three frameworks, three role-catalogue alignments

India's three primary child-data and child-safety frameworks each impose specific requirements on how a school's staff can access student records. SchoolDeck's role catalogue addresses each.

DPDP Act 2023 (assented August 11, 2023; Phase III full-compliance deadline May 13, 2027) classifies schools as Data Fiduciaries for the personal data of minors. The Act requires (a) verifiable parental consent at data collection, (b) purpose limitation — data collected for one purpose cannot be reused for another, (c) reasonable security safeguards. RBAC is the technical implementation of purpose limitation: a transport coordinator's access serves the transport purpose; their access is limited to transport-relevant data. A medical compliance audit can verify the role-permission matrix at any time. The audit trail in /features/audit-logs/ is the documentary proof.

POCSO Act 2012 requires schools to maintain background-check clearance for all staff with direct student contact. SchoolDeck's role catalogue allows student-contact roles (Class Teacher, Subject Teacher, Counsellor, Sport Coach, House Master) to be gated behind a POCSO clearance flag on the staff profile. If the clearance has not been recorded — or has expired — the role cannot be assigned to that staff member. The Trust HR sees a clear "POCSO clearance required" message when attempting the assignment.

JJ Act 2015 Sec 41-42 protects child welfare records. A counsellor's notes on a student's emotional wellbeing, family circumstances or any disclosure that may affect child welfare are not general school records — they are restricted to the Counsellor role. The Principal does not see counselling notes by default; the Class Teacher does not see them; a substitute Counsellor temporarily covering can see only the notes they themselves authored unless explicitly elevated by the Designated Child Welfare Officer.

One-click staff deactivation — closing the resignation window

The highest-risk moment in any school's data security year is the week after a senior staff member's resignation — particularly when the resignation is not amicable. In schools with shared admin passwords, that week ends with the credential finally being changed and all remaining staff informed of the new password. In between, data exfiltration is unrestrained.

SchoolDeck's RBAC eliminates that window. When the Super Admin or Trust HR toggles a staff member's status to Deactivated, the following happens within seconds:

  • Web portal authentication is rejected — even if the staff member is currently logged in on a browser, the next page load fails.
  • Mobile app sessions terminate — the SchoolDeck app on their phone logs them out and clears cached data.
  • Every active session token across every device is destroyed — they cannot continue from a saved login.
  • The unique login credentials are permanently disabled.
  • Their entire historical audit trail in /features/audit-logs/ is preserved intact — every action they ever took, every record they viewed, remains in the immutable trail for institutional records.

For staff on planned exit (notice period), the deactivation can be scheduled to a specific date and time. For acrimonious resignations, the toggle is immediate.

The external auditor role — time-limited, module-scoped, view-only

Every year, the Trust's CA needs access to fee ledgers, expense vouchers, payroll summaries and P&L reports for the annual audit. The traditional approach — sharing full admin credentials with the CA — is a data governance failure. The CA may be trustworthy; the credentials may not stay in their personal control; and there is no record of what they actually viewed.

SchoolDeck ships a pre-built "External Auditor" role configured as: View-only across Finance + Fees + Expense modules; no access to student academic records, medical, parent contact, payroll details beyond salary aggregates; time-limited login (the role automatically deactivates on a configured end-date — typically 30 days from creation, extendable); IP whitelisting optional but recommended (the CA's office IP, or the school campus IP if the audit happens on-site).

Every record the auditor views is logged in /features/audit-logs/. After the audit window, the role auto-deactivates and the audit log shows exactly what was reviewed. If a future regulatory inquiry asks "who saw which records during the FY25 audit?" — the Trust has a verifiable answer.

The parent role — cryptographically bound to the child UID

Parents are users of the school ERP too — through the SchoolDeck parent app. Their access raises a specific question: can a parent see another family's student data, accidentally or deliberately?

The architectural answer: no. The parent role is not a standard "user" with broad access — it is a role bound at session-token level to the specific Student Unique ID of their child. Every API call the parent app makes carries this binding. Any query for any other student's data fails authentication. This is enforced at the API layer, not the UI.

For parents with multiple children — including children in different campuses of the same Trust — the Family ID system aggregates the bound Student UIDs into a single login. The parent sees all their children in one app session. They do not see any other family's children. They cannot query another family's children even by altering URLs or attempting API calls directly. The binding is mathematical.

RBAC ≠ Audit Logs ≠ Multi-Branch ≠ Maker-Checker

The SchoolDeck security architecture is split across four feature pages, each owning a distinct layer. Knowing the boundaries helps schools evaluate them correctly.

  • This page · /features/role-based-access/ — Owns the role catalogue and permission definition. What named roles exist, what each role can View / Create / Edit / Delete / Approve / Export per module, row-scope and field-scope. The rules.
  • /features/audit-logs/ — Owns the immutable forensic trail. A record of who actually did what, when, from where. Cannot be deleted by anyone. DPDP Act 2023 Phase III ready by May 13, 2027. The watching.
  • /features/multi-branch/ — Owns cross-campus branch fencing at the API level. How a Branch A Principal's session is scoped to Branch A's data partition so they cannot query Branch B data even by altering URLs. The cross-campus boundary.
  • /features/finance-management/ — Owns Maker-Checker dual control on financial transactions. Payment vouchers require separate Maker (Junior Accountant) creation and Checker (Finance Head) approval. The dual-approval workflow.

Each layer is needed; none replaces the others. RBAC defines who can do what; the audit log records who actually did what; multi-branch fences across campuses; Maker-Checker imposes dual approval on financial actions. SchoolDeck's complete access architecture sits on all four.

Two-role legacy ERP vs SchoolDeck RBAC

What changes for a 1,800-student Indian school's role architecture.

Capability Two-role legacy ERP SchoolDeck RBAC
Role definition Hardcoded Admin / Teacher / User Unlimited custom + 11 pre-built
Forensic accountability Shared password — untraceable Per-staff login + audit-logs trail
Row-level student scope Any teacher can search any student Class / grade / dept / branch / school-wide
Field-level data hiding All fields visible to all roles Medical / Aadhaar / income hidden per role
POCSO clearance gating Tracked in HR file only Role-assignment blocked without clearance
JJ Act welfare-record protection Visible to anyone with admin login Counsellor-role-only field-scope
Staff resignation revocation Days — password change + staff notify Seconds — one-click + session token kill
External CA / auditor role Share admin login (and forget to rotate) Time-limited view-only module-scoped role
Parent app — cross-family data Hidden in UI but reachable via API Cryptographically bound to child UID
DPDP 2023 Phase III readiness Marketing claim with no proof Role matrix + audit log = verifiable proof

FAQ

Questions principals and Trust directors ask.

The role-architecture answers schools want before evaluating DPDP-grade RBAC.

What is role-based access control (RBAC) for schools?

+

Role-based access control for schools is the discipline of defining named staff roles (Principal, Class Teacher, Junior Accountant, Transport Coordinator, Librarian, Counsellor, custom) and setting module-by-module permissions for each — View, Create, Edit, Delete, Approve, Export. Each role then carries row-level scope (which students this role can see) and field-level scope (which fields within a record are visible). Staff members are assigned to roles; their session permissions follow the role. Used by 500+ Indian K-12 schools for DPDP Act 2023 Data Fiduciary compliance.

How is this different from /features/audit-logs/?

+

Role-Based Access Control owns the permission catalogue — what each role can do. /features/audit-logs/ owns the immutable forensic trail — a record of what each user actually did. RBAC defines the rules; audit logs record the activity. Both are needed for DPDP Act 2023 Phase III compliance (May 13, 2027 deadline). One sets the gates; the other watches who walks through.

How is this different from /features/multi-branch/?

+

Role-Based Access Control owns the per-role permission definition — what a Class Teacher can do in the Students module, what a Junior Accountant can do in the Fees module. /features/multi-branch/ owns the cross-campus branch fencing — how a Branch A Principal's role is also scoped to Branch A's data partition at the API level. Roles defined here are assigned within the branch fencing imposed there. Two complementary security layers.

How is this different from the Maker-Checker workflow in finance?

+

Role-Based Access Control owns role definition. Maker-Checker dual control on financial transactions — payment vouchers requiring a separate Maker (Junior Accountant) creation and Checker (Finance Head) approval — is owned by /features/finance-management/. RBAC is what makes Maker-Checker possible (it defines the Maker role and the Checker role separately) but the Maker-Checker workflow itself sits in the finance module.

Does SchoolDeck support row-level and field-level data scope?

+

Yes. Row-level scope per role decides which student records the role can see — own class only, own grade, own department, school-wide. Field-level scope per role decides which fields within a record are visible — a Transport Coordinator sees the student's name, class, home address and bus stop, but the medical-allergy field, Aadhaar number and parent income certificate are hidden. The student record is the same database entry; SchoolDeck shows or hides fields based on the requesting role.

How does RBAC help with DPDP Act 2023 compliance?

+

The DPDP Act 2023 (assented August 11, 2023; Phase III full-compliance deadline May 13, 2027) classifies Indian schools as Data Fiduciaries for the personal data of minors. The Act requires verifiable parental consent and 'reasonable security safeguards.' RBAC delivers the safeguards — minor-data access is restricted to need-to-know roles only. A transport coordinator cannot access medical data. A class teacher cannot access fee data. The forensic record proving compliance lives in /features/audit-logs/.

What happens when a staff member resigns?

+

The Super Admin or Trust HR clicks Deactivate on the staff profile. Within seconds: web portal access is rejected, mobile app session terminated and cached data cleared, every active session token destroyed, the unique login disabled permanently. Their historical audit trail in /features/audit-logs/ is preserved intact for institutional records and any later forensic review. This is critical for the resignation scenario where data exfiltration risk peaks in the days before the last working day.

Can we give our CA or external auditor temporary access?

+

Yes. Create a custom "External Auditor" role with View-Only permissions restricted to the Finance, Fees and Expense modules. The CA reviews ledgers and vouchers remotely without ability to edit data. Time-limit the role to the audit window — the role automatically deactivates after the configured end-date. Every record the auditor views is logged in the immutable trail at /features/audit-logs/.

How does RBAC interact with POCSO and JJ Act requirements?

+

POCSO Act 2012 requires schools to maintain background-check clearance for staff with direct student contact. SchoolDeck allows the role catalogue to gate student-contact-role assignment behind a POCSO clearance flag on the staff profile — staff without clearance cannot be assigned to Class Teacher or Counsellor roles. JJ Act 2015 Sec 41-42 protects child welfare records — those records are accessible only to a Counsellor or Child Welfare Officer role, never to a general teacher or administrative role.

Can parents see other students' data through the parent app?

+

No. The parent role is cryptographically bound to the specific child's Unique Student ID via the Family ID system. A parent with one child sees only that child. A parent with multiple children sees only those children. There is no parent role that can query, search or accidentally view another family's student data. The architectural binding makes this mathematically prevented, not just hidden in the UI.

The other three layers of the SchoolDeck security architecture

The four security layers, side by side.

Each owns a distinct mechanism. Together they form the complete access architecture.

📋

Audit Logs

Owns the immutable forensic trail — every record-changing action across all modules. DPDP Act 2023 Phase III ready by May 13, 2027.
🏢

Multi-Branch Fencing

Owns cross-campus branch fencing at the API level. How a Branch A Principal's session is scoped to Branch A's data partition.
📊

Finance — Maker-Checker

Owns Maker-Checker dual control on financial transactions, consolidated P&L, Tally bridge. The dual-approval workflow.
👤

Student Information System

Owns the master student record — the source of the row-scope (which students this role can see) and the parent-app Family ID binding.
For Indian Trust Directors + Principals + IT admins

Data privacy isn't a feature request. It's a legal obligation under DPDP 2023.

In the demo we'll create a custom Counsellor role with JJ Act welfare-record scope, run a row-and-field-scope test (can the Transport Coordinator see medical data?), execute a 1-click staff deactivation, and walk through external auditor role provisioning — on your school's actual staff structure.

From ₹30/student/month · 500+ Indian schools · DPDP Phase III ready by May 2027

Book a demo to see the role catalogue See pricing