Skip to main content

Role-Based Access Control (RBAC) for Loan Management & Loan Services

Updated

Description:

Administrators can now configure granular permission settings for loan officers and team members through Role-Based Access Control (RBAC). This feature allows you to control exactly which actions users can perform within nCino Mortgage, including creating and editing loan applications, running credit checks, ordering verifications, executing automated underwriting, and managing closing fees. RBAC helps organizations enforce compliance requirements, maintain data security, and ensure users have appropriate access levels based on their job responsibilities and training.

Steps to Resolve:

Creating and Assigning Roles with RBAC Permissions:

  1. Log into nCino Mortgage as an Administrator.
  2. Navigate to the Roles tab of the Users and Roles page.
  3. Click "Create New Role" or select an existing role to edit.
  4. Enter a Role Name that clearly describes the user type (e.g., "Junior Loan Officer", "Senior Processor", "Operations Manager").

  5. Select the appropriate Permission Groups from the available options: 

    Loan Management Permissions:

    • Start and Edit Loan Applications: Control who can create new loan applications and modify existing applications through the LO 1003
    • App Share Link: Manage unique application share links and partner branding (only works for loan officer account types)
    • Deactivate Loan Applications: Allow users to deactivate and reactivate loan applications
    • Delete Loan Applications: Allow users to permanently delete loan applications
    • Deactivate Loans: Allow users to deactivate and reactivate loans

    User Management Permissions:

    • Merge Borrowers: Consolidate duplicate borrower records into a single user account

    Loan Services Management Permissions:

    • Run Credit: Control access to both hard and soft credit checks for loans
    • Order Verifications: Manage verification ordering for assets, income, and employment
    • Run AUS: Control access to DU (Desktop Underwriter) and LPA (Loan Product Advisor) automated underwriting scenarios
    • Run Closing Fees: Manage Smart Fees and Lodestar closing cost calculations

  6. Important: To access certain permissions, users must also have the prerequisite base permissions enabled. For example:
    • To use Start and Edit Loan Applications, users must have Manage Loans and Loan Applications enabled.
    • To use Merge Borrowers, users must have Manage Borrowers enabled.
  7. Click "Assign Users" if you want to immediately assign specific users this role. This is optional, click "Review Details" to continue creating the role or skip this section. 
  8. Review these details and select 'Create Role' to create role.

Assigning Roles to Users:

  1. Navigate to the Roles tab of the User and Roles page in the admin interface.
  2. Click the three dots to the right of Role you want to assign a User to.
  3. Select "Manage Users" .
  4. On the Role Details page, click "Edit Users".
  5. Click the checkbox next to any User's account you would like to apply the role to and select "Review Changes". 
  6. Review the changes made and select "Save Changes".
  7. The permission changes will take effect immediately without requiring the user to log out and log back in.

 

Understanding RBAC Permission Groups:

Loan Management Group:

This group controls basic loan application creation and editing capabilities:

  • Users with "Start and Edit Loan Applications" can create new loans from the Loans page, Loan Apps page, or Archived page, and can edit loan application data through the LO 1003
  • Users without this permission will not see "New Loan" buttons or edit buttons on the LO 1003

User Management Group:

This group includes the new "Merge Borrowers" permission:

  • Users with this permission can consolidate duplicate borrower records into a single account
  • This helps maintain clean borrower data and eliminates duplicate entries

Loan Services Management Group (NEW):

This group provides granular control over loan processing services:

  • Run Credit: Users can initiate soft and hard credit pulls from the Services page and LO 1003. Viewing existing credit reports may be available separately.
  • Order Verifications: Users can order VOA (Verification of Assets), VOI (Verification of Income), and VOE (Verification of Employment). Note that requesting authorization from borrowers may remain accessible even without this permission.
  • Run AUS: Users can execute DU and LPA automated underwriting scenarios. Viewing existing AUS results may be available separately.
  • Run Closing Fees: Users can access Smart Fees and Lodestar integrations to calculate closing costs. Viewing existing fee calculations may be available separately.

 

How Users Experience RBAC Permissions:

For Loan Officers and Team Members:

  1. Authorized actions: Users will see all buttons and features they have permission to access. Actions work normally as expected.
  2. Unauthorized actions: Users will not see buttons or menu options for features they don't have permission to access. Some buttons may appear greyed out with a tooltip explaining that the user lacks the necessary permission.
  3. Immediate effect: Permission changes take effect immediately when roles are updated. Users do not need to log out and log back in.
  4. Clear feedback: If a user attempts to access a restricted feature through a direct URL or other means, they will receive a clear error message explaining they lack permission for that action.

 

Platform Support:

  • Web: All RBAC permissions are fully enforced in the loan officer and team member web applications
  • Mobile (iOS/Android): Permission checks are respected for applicable features including loan application editing, loan/loan app deactivation and deletion, credit runs, AUS execution, and closing fees. Some features may require a mobile app update.

 

Common RBAC Scenarios:

Scenario 1: Junior Loan Officer Role

Create a role for entry-level loan officers who should have limited access:

  • Enable: Start and Edit Loan Applications
  • Enable: Order Verifications
  • Disable: Run Credit, Run AUS, Run Closing Fees

This allows junior loan officers to create applications and order basic verifications while restricting access to more sensitive operations like credit pulls and automated underwriting.

Scenario 2: Senior Processor Role

Create a role for experienced processors who handle the full loan process:

  • Enable: Start and Edit Loan Applications
  • Enable: Run Credit
  • Enable: Order Verifications
  • Enable: Run AUS
  • Enable: Run Closing Fees

This provides full access to all loan processing functions.

Scenario 3: Operations Team Member Role

Create a role for team members who support loan officers but don't originate loans:

  • Disable: Start and Edit Loan Applications
  • Enable: Order Verifications
  • Enable: Merge Borrowers
  • Disable: Run Credit, Run AUS, Run Closing Fees

This allows team members to assist with verifications and data cleanup while restricting loan origination capabilities.

Important Notes:

  • No disruption to existing users: A migration process runs automatically before RBAC general availability to assign new permissions to existing roles based on current permission sets. Users maintain their current access levels unless you explicitly modify role configurations.
  • Prerequisite permissions required: RBAC permissions layer additional restrictions on top of existing base permissions. For example, users need both "Manage Loans and Loan Applications" AND "Start and Edit Loan Applications" to create and edit loans.
  • Team member limitations: The App Share Link permission only works for loan officer account types because it requires a servicer action code that only exists among loan officers.
  • Mobile app updates: Some mobile features may require an app update to fully enforce new RBAC permissions.
  • Role flexibility: You can assign the same role to multiple users or create unique roles for different job functions within your organization.

Solution:

After configuring RBAC permissions and assigning roles to your loan officers and team members, you will have established granular access controls that align with your organization's compliance requirements and operational structure. Users will only see and access the features they're authorized to use, reducing the risk of errors, supporting regulatory compliance, and maintaining clear audit trails of who can perform specific actions. RBAC permissions work seamlessly across both web and mobile platforms, providing consistent access control regardless of how users access nCino Mortgage. As your organization grows or job responsibilities change, you can easily modify roles to grant or restrict access to specific features, ensuring your team always has the appropriate permissions for their responsibilities.

Additional Resources:

  1. List of RBAC Permissions 
  2. Role-Based Access Control (RBAC) 

 

Published: 05/07/2026                                            Last Update: 05/07/2026