VDR glossary · Permissions

Access controls

The rules that decide which users can open, download, print, or edit each folder and file in the data room.

Access controls are the layer of rules that governs exactly what each person can do with each folder and file inside a virtual data room. They go beyond a simple “can this user log in?” question and answer a harder one: once a reviewer is inside, which documents can they see, and can they only view, or also download, print, copy, or edit them? In a live deal, that distinction is the difference between a controlled disclosure and an uncontrolled leak. Strong access controls let a deal team invite dozens of outside parties into the same room while showing each of them only the slice they are entitled to, and only in the format the seller is comfortable releasing.

How do access controls work in a data room?

Access controls operate at several layers that stack on top of each other. At the top sits authentication, which confirms who a user is, often reinforced with two-factor authentication. Below that sits authorization, which decides what that verified user may do. Authorization is usually expressed through role-based access control, where an administrator assigns people to roles such as buyer, adviser, or administrator, and each role carries a default set of rights.

The finest layer is the per-item rule. Using granular permissions, an admin can override the role default on a single folder or document, for example allowing a bidder to view a sensitive contract on screen but blocking download and print. These per-document rights are the practical heart of access controls.

The layers of access control in a data roomFour stacked layers: authentication, role assignment, per-file permissions, and document rights such as view, download, print, and edit.1. Authentication: who are you? (password + 2FA)2. Role assignment: buyer, adviser, or administrator3. Per-file permissions: which folders this user sees4. Document rights: view / download / print / edit

Why do access controls matter for M&A and due diligence?

In a merger, acquisition, or fundraising round, a seller must open its confidential records to buyers who may include direct competitors. Access controls are what make that survivable. They let the seller stage disclosure, releasing commercially sensitive material such as customer lists or pricing only to a shortlisted clean team while every other bidder stays blocked. They also protect against the most common failure mode in due diligence: a document reaching someone who should never have seen it. Because every action is tied to a permission and logged, access controls also feed the audit trail that proves, after the deal closes, exactly who touched what. Weak controls do not just risk a leak; they can undermine the confidentiality representations a seller makes in the purchase agreement.

A concrete example

Imagine a company selling a division to one of three competing bidders. The deal team creates three user roles and assigns each bidder to its own. All three see the general folders: financials, corporate records, and material contracts. But the folder holding the crown-jewel R&D files is set to view-only for two bidders and fully hidden from the third, who has not yet signed the enhanced non-disclosure agreement. When that third bidder signs, the admin flips a single per-folder permission and the files appear, with download disabled and dynamic watermarking on. No documents were re-uploaded and no email was sent. That is access control doing its job.

How should you evaluate access controls in a VDR?

Not all “permissions” features are equal. Use this checklist when comparing providers.

CapabilityWeak setupStrong setup
GranularityFolder level onlyIndividual file level
Rights offeredView and downloadView, download, print, edit, copy, screenshot control
Time limitsNoneExpiry dates and self-destructing access
Bulk changesOne user at a timeRole templates applied to groups
VisibilityHidden files still listedHidden files fully invisible
Audit linkSeparate logEvery permission change logged

The most common mistakes are setting permissions at the folder level when a single file needs a stricter rule, forgetting to remove access when an adviser leaves the deal, and relying on view-only without watermarking, which still lets a determined reviewer photograph the screen. For a deeper walkthrough, see our guide on data room permissions explained and the practical steps in how to grant and revoke data room access. If access control is a decisive factor for your deal, our side-by-side comparisons show how the leading providers implement it, and each provider review records what we found in hands-on testing.

FAQ

Are access controls the same as permissions? They overlap but are not identical. Permissions are the specific rights granted on a document, such as view or download. Access controls is the broader system, including authentication, roles, and the per-file permissions together, that decides and enforces those rights across the whole room.

Can access controls stop someone from downloading a file? Yes. A view-only permission lets a user read a document on screen without saving a copy, and most rooms pair it with disabled printing and dynamic watermarking. This does not stop a screen photograph, which is why sensitive files are usually staged to a small, trusted group as well.

Who sets access controls in a data room? A room administrator, usually someone on the seller’s deal team or their adviser, configures roles and per-file permissions. Well-run rooms limit the number of full administrators and review the access list at each stage of the deal so that rights match who is actually still involved.