Inside CaseQube's Role-Based Permissions Engine: How Mid-Size Law Firms Lock Down Trust Accounts, Client PHI, and Settlement Data Without Slowing Attorneys Down in 2026

Mid-size law firms run a permissions paradox: trust accounts and settlement data need lockdown, while paralegals, intake coordinators, and outside accountants need fast, partial access. CaseQube's role-based permissions engine — built on Salesforce's enterprise security model — lets firms define who sees what at the field level, the matter level, and the financial transaction level, without bottlenecks.

Published: 2026-05-17T23:56:43.526Z · Category: Practice Management · 8 min read

Inside CaseQube's Role-Based Permissions Engine: How Mid-Size Law Firms Lock Down Trust Accounts, Client PHI, and Settlement Data Without Slowing Attorneys Down in 2026
💡 IN SHORT
CaseQube's role-based permissions engine is built on the Salesforce security model — meaning law firms can lock down trust account ledgers, settlement disbursement data, client PHI, and matter-specific work product at the field level, the record level, and the transaction level. The result: tight compliance without the bottleneck of "ask the partner before doing anything."
👥 Who should read this: Managing Partners Firm Administrators IT and Security Leads Compliance Officers

🔐 The Mid-Size Firm Permissions Paradox

Solo and small firms get away with "everyone sees everything." Trust the team, lock the office, and move on. That model breaks the moment a firm crosses the 20-attorney mark. Now there are multiple practice groups, outside accountants pulling reports, contract attorneys touching a single matter, paralegals across departments, and clients with portals.

The problem isn't that mid-size firms don't want security — they do. The problem is that most legal practice management systems force a choice: either everyone has access (fast but unsafe) or every change requires a partner-approved permission ticket (safe but glacial). Neither works.

🚫 Red Flag
If your firm's response to "should the paralegal see the settlement total?" is "let me email the partner," your permissions model is operationally broken. Bar audits, breach reports, and client expectations in 2026 all assume granular, field-level access control.

🏗️ What "Built on Salesforce" Actually Means for Permissions

CaseQube inherits its security architecture from Salesforce, which means it doesn't have permissions — it has layers of permissions. Every layer can be tuned independently, and they stack.

🎭

Profiles

Define what an attorney, paralegal, intake coordinator, accountant, or outside contractor can do at the object level — matters, billing, trust ledgers.

🪪

Permission Sets

Stack additional permissions on top of a profile. A senior paralegal can have "paralegal" profile + "settlement viewer" permission set.

🏢

Role Hierarchy

Mirrors the firm's reporting structure. A partner's records are visible up the chain; subordinate records roll up automatically.

📁

Sharing Rules

Open up access by criteria — "all Family Law matters visible to the Family Law team" — without compromising matters in other practices.

🔢

Field-Level Security

Hide individual fields. The paralegal sees the matter, but not the contingency fee percentage. The intake clerk sees the client, but not the SSN.

🧾

Record-Type Security

Different matter types (PI, Immigration, Corporate) can have entirely different field layouts and permissions — without separate systems.

⚖️ Three Lockdown Scenarios CaseQube Solves Out of the Box

🏦 Scenario 1: Trust Account Access Without Bottlenecks

The classic mid-size problem: the bookkeeper needs to post trust transactions every day, the partner needs to approve disbursements weekly, the auditors need read-only access at year-end, and the paralegal who manages settlement intake needs to see balances without touching them.

In CaseQube, that resolves to four layered permissions:

💡 Pro Tip
Time-boxed permission sets are the cleanest answer to outside auditor and forensic accountant access. Grant for 30 days, auto-expire. Bar review-ready audit trail of who saw what, when.

🏥 Scenario 2: PI Firms With Medical Records and PHI

Personal injury matters generate enormous amounts of protected health information — medical records, billing statements, treatment notes. Federal HIPAA rules require that PHI be accessible only to those with a legitimate need.

CaseQube handles this with a combination of folder-level document permissions (CloudDoc), field-level security on PHI-tagged fields, and matter-level sharing rules that limit visibility to the matter team. A floating contract attorney touching one case doesn't see the entire firm's medical records — they see only what they were assigned.

💵 Scenario 3: Settlement Data With Multiple Stakeholders

A $5M PI settlement involves the client, opposing counsel, multiple medical liens, an MSA broker, the attorneys, the bookkeeper, and the partner. Each needs a different slice of the same record. CaseQube's settlement management uses record-type security combined with field-level rules to expose only the relevant fields to each role. The lien tracker sees lien data. The bookkeeper sees disbursement totals. The client sees their net distribution. No one sees everything except the attorneys on the matter.

📋 The 4-Question Permissions Audit Every Mid-Size Firm Should Run

📊 Did You Know?
BakerHostetler's 2026 Data Security Report found that 56% of breached mid-size law firms lost client data partially because internal permissions were too broad. Tightening role-based access is now considered a primary cyber control by most cyber-insurance underwriters.
  1. Can a paralegal in one practice group see matters in another? If yes, by default, that's too open.
  2. Can your outside accountant see settlement totals? Should they? Usually no — they need GL and trust, not matter-level financials.
  3. Can a departed employee's account still log in? If yes, that's a critical gap.
  4. Can you produce, on demand, a report of every user who viewed a specific trust ledger in the last 90 days? If no, that's an audit gap.

🚀 Why This Matters for Cyber Insurance Renewals in 2026

Cyber-insurance underwriters now ask law firms specifically about role-based access, least-privilege enforcement, and audit logging on financial systems. Firms that can show field-level controls and time-boxed access pay materially less in premiums than firms running everyone-sees-everything. CaseQube's Salesforce-backed permissions architecture gives firms a defensible answer to every underwriter question.

✅ Key Takeaways
  1. Mid-size firms outgrow "everyone sees everything" the moment they cross ~20 attorneys — and they need granular controls without operational bottlenecks.
  2. CaseQube inherits the Salesforce security model: profiles, permission sets, role hierarchy, sharing rules, field-level security, and record-type security stack independently.
  3. Trust account access, PHI handling, and settlement data segmentation are the three lockdown scenarios firms can solve out of the box.
  4. Time-boxed access for outside auditors and forensic accountants is the cleanest answer to "how do we share without leaving the door open?"
  5. Tighter role-based access materially reduces cyber-insurance premiums in 2026 — and gives firms a defensible posture at bar and underwriter review.

Ready to See Field-Level Security in Action?

Watch how CaseQube's role-based permissions engine locks down trust, PHI, and settlement data while keeping attorneys, paralegals, and bookkeepers moving fast.

Schedule Your Demo →

Related Articles

← Back to Blog