In a regulated quality management system, every user account is a compliance record. ISO 13485 clause 6.2 requires organizations to document the competence of personnel performing quality-affecting work, assign responsibilities formally, and retain evidence that those assignments were made. A user profile in a QMS is not a convenience setting: it is the system-of-record entry that ties a person’s identity to their training status, their authorized role, and every action they take inside the system.
Role-based access control carries direct regulatory weight. Approving a document, closing a CAPA, or releasing a batch requires a named, accountable individual with the authority to act. Auditors reviewing your QMS will verify that the people signing off on these activities held the correct role at the time of the action and that their competence was documented before that access was granted. Misconfigured roles or shared accounts create gaps that are difficult to close during an FDA QMSR inspection or ISO 13485 surveillance audit.
The principle of least privilege applies as much to a quality system as it does to information security. Restricting each user to the permissions their role requires limits the risk of unauthorized changes and keeps the audit trail legible. Access control lists, role assignment dates, and permission change logs are all considered part of the quality record.
Onboarding a new team member is itself a regulated activity. Training records must be completed and competence confirmed before access is granted. The sequence matters: training first, competence sign-off second, system access third, with each step captured in the audit trail. An access grant that precedes documented training is a nonconformance waiting to be cited.
The whitepaper below walks through how qmsWrapper structures user profiles, roles, and access grants to satisfy these requirements out of the box.




