Access control determines who can do what within your BttrForm organization. From the database level to the user interface, BttrForm enforces access boundaries through multiple layers: role-based permissions, row-level security, API key scopes, session management, and multi-factor authentication. This article explains each layer and how to configure them.
Role Hierarchy
BttrForm uses a four-level role hierarchy. Each role inherits the permissions of the roles below it.
Owner
βββ Admin
βββ Member
βββ Viewer
Permissions by Role
| Permission | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View forms and responses | Yes | Yes | Yes | Yes |
| Export responses | Yes | Yes | Yes | No |
| Create and edit forms | Yes | Yes | Yes | No |
| Delete forms | Yes | Yes | No | No |
| Manage integrations | Yes | Yes | No | No |
| Invite and remove members | Yes | Yes | No | No |
| Change member roles | Yes | Yes | No | No |
| Manage billing | Yes | Yes | No | No |
| Configure security settings | Yes | Yes | No | No |
| Sign BAA / compliance agreements | Yes | Yes | No | No |
| Delete organization | Yes | No | No | No |
| Transfer ownership | Yes | No | No | No |
One Owner Per Organization
Each organization has exactly one owner. Ownership can be transferred to another admin, but there is always exactly one owner at any time.
Assigning Roles
- Navigate to Settings > Team.
- Click Invite Member to add a new user, or click the role badge next to an existing member to change their role.
- Select the appropriate role from the dropdown.
- Changes take effect immediately.
Role Changes Are Immediate
When you change a user's role, their permissions update immediately. If a member is demoted to viewer while actively editing a form, their next save attempt will be rejected.
Row-Level Security (RLS)
BttrForm enforces data access at the database level using PostgreSQL Row-Level Security policies. RLS ensures that even if application-level authorization were bypassed, the database itself prevents unauthorized data access.
How RLS Works in BttrForm
Every database query is scoped to the authenticated user's context:
-- Users can only access their own organization's forms
CREATE POLICY "org_member_forms"
ON public.forms
FOR ALL
USING (
org_id IN (
SELECT org_id FROM public.memberships
WHERE user_id = auth.uid()
)
);
-- Viewers cannot modify forms
CREATE POLICY "members_can_update_forms"
ON public.forms
FOR UPDATE
USING (
org_id IN (
SELECT org_id FROM public.memberships
WHERE user_id = auth.uid()
AND role IN ('owner', 'admin', 'member')
)
);
What RLS Prevents
- Cross-organization data access -- User A in Organization X cannot query forms belonging to Organization Y, even by manipulating API requests.
- Privilege escalation -- A viewer cannot modify data by sending direct API calls, because the database rejects the write operation.
- Data leakage through joins -- RLS policies apply to all queries, including joins and subqueries, preventing indirect data access.
Defense in Depth
RLS is one of multiple access control layers. Even if an attacker finds an application-level bug, the database prevents unauthorized data access. This is why BttrForm enforces RLS on every table without exception.
API Key Scopes
API keys allow programmatic access to BttrForm's REST API. Each key is scoped to limit what operations it can perform.
Available Scopes
| Scope | Permissions | Use Case |
|---|---|---|
read | Read forms, responses, analytics | Dashboards, reporting, data sync |
write | Create and update forms, submit responses | Form management, data import |
admin | All operations including user and settings management | Full automation, CI/CD integration |
Creating API Keys
- Navigate to Settings > API Keys.
- Click Create New Key.
- Enter a descriptive name (e.g., "Analytics Dashboard - Read Only").
- Select the scope(s) for the key.
- Set an optional expiration date.
- Click Create. The key is displayed once -- copy it immediately.
Key Security
API keys are shown only once at creation time. Store them securely in your secrets manager or environment variables. If a key is compromised, revoke it immediately from Settings > API Keys.
Key Rotation
Regular key rotation reduces the risk of compromised credentials being used long-term.
- Manual rotation -- Create a new key, update your integrations, then revoke the old key.
- Expiration dates -- Set keys to expire after a defined period (30, 60, 90, or 365 days). Expired keys stop working automatically.
- Rotation reminders -- BttrForm sends email notifications 7 days before a key expires.
Key Best Practices
- Use the minimum scope required for each integration. A reporting dashboard needs
read, notadmin. - Set expiration dates on all keys. Indefinite keys are a security risk.
- Use separate keys for each integration so that revoking one does not break others.
- Never commit API keys to source control. Use environment variables or a secrets manager.
Session Management
BttrForm provides configurable session management to control how long users stay logged in and under what conditions sessions expire.
Session Settings
| Setting | Default | Range | Description |
|---|---|---|---|
| Idle timeout | 30 minutes | 5--120 minutes | Session expires after period of inactivity |
| Maximum session length | 24 hours | 1--72 hours | Session expires regardless of activity |
| Concurrent sessions | Unlimited | 1--unlimited | Number of simultaneous active sessions |
| Remember device | 30 days | Disabled--90 days | Skip full login on recognized devices |
Configuring Sessions
- Navigate to Settings > Security > Session Management.
- Adjust the settings according to your organization's security requirements.
- Save. New settings apply to future sessions. Existing sessions continue under the old rules until they expire.
HIPAA Compliance
If HIPAA mode is enabled, idle timeout defaults to 15 minutes and maximum session length to 8 hours. These can be made stricter but not more permissive while HIPAA mode is active.
Automatic Session Expiry
When a session expires:
- The user sees a "Session Expired" message on their next interaction.
- Unsaved work in the form builder is preserved in local storage and restored after re-login.
- The user is redirected to the login page.
- A session expiry event is recorded in the audit log.
Re-authentication
Certain sensitive operations require the user to re-enter their credentials, even during an active session. This protects against unauthorized actions if a device is left unattended.
Operations Requiring Re-authentication
- Exporting form responses
- Changing security or compliance settings
- Managing API keys (create, revoke)
- Modifying billing or subscription settings
- Transferring organization ownership
- Deleting the organization
- Downloading file attachments from HIPAA-enabled forms
How It Works
- User initiates a sensitive operation.
- A modal prompts for password entry (or biometric/2FA confirmation).
- Re-authentication is valid for 5 minutes -- subsequent sensitive operations within this window do not require another prompt.
- After 5 minutes, the next sensitive operation requires re-authentication again.
Multi-Factor Authentication (MFA)
Multi-factor authentication adds a second verification step beyond the password, significantly reducing the risk of account compromise.
Supported MFA Methods
| Method | Description |
|---|---|
| Authenticator app (TOTP) | Time-based one-time passwords via apps like Google Authenticator, Authy, or 1Password |
| Recovery codes | One-time use backup codes for when the authenticator is unavailable |
Enabling MFA
- Navigate to Settings > Account > Security.
- Click Enable Two-Factor Authentication.
- Scan the QR code with your authenticator app.
- Enter the 6-digit code to verify setup.
- Save the recovery codes in a secure location.
Enforcing MFA for the Organization
Admins and owners can require MFA for all members:
- Navigate to Settings > Security > Authentication.
- Enable Require MFA for all members.
- Members without MFA will be prompted to set it up on their next login.
- Members who do not enable MFA within 7 days are locked out until they complete setup.
Recovery Codes
Save your recovery codes when you enable MFA. If you lose access to your authenticator app and do not have recovery codes, you will need to contact support to regain access to your account. This process requires identity verification and may take several business days.
Audit Trail
Every access control action in BttrForm is logged in the audit trail. This provides a complete record of who did what, when, and from where.
What Is Logged
| Event Category | Examples |
|---|---|
| Authentication | Login, logout, failed login, MFA challenge, session expiry |
| Authorization | Role changes, permission denials, API key usage |
| Data access | Form views, response exports, file downloads |
| Configuration | Security setting changes, MFA enable/disable, API key creation/revocation |
| Member management | Invitations, removals, role changes |
Viewing the Audit Trail
- Navigate to Settings > Audit Log.
- Use filters to narrow by date range, event type, user, or IP address.
- Click any entry to see full details including the user agent, IP address, and the specific changes made.
Audit Log Integrity
- Audit logs are immutable -- once written, they cannot be modified or deleted by any user.
- Logs are stored separately from application data with their own encryption and access controls.
- Retention is a minimum of 365 days (SOC 2 requirement), configurable up to 7 years on Business and Enterprise plans.
Compliance Ready
BttrForm's audit trail meets the logging requirements of SOC 2 Type II, HIPAA, and GDPR. Audit log exports in JSON format are available for integration with your SIEM or compliance reporting tools.
Was this helpful?