Building a B2B Platform: Planning Roles, Permissions, Workflows and Billing Right
A B2B platform fails not at features but at the invisible foundations. Retrofitting tenants, roles, audit and billing is the most expensive migration.
A B2B platform looks from the outside like a bigger web app. Inside it is something fundamentally different — and exactly this confusion is the most expensive mistake in platform building.
An app has many users. A platform has many organizations. This one difference determines almost every architecture decision.
The hard parts are invisible
What makes a B2B platform hard rarely appears in the feature wish: tenant separation, roles and permissions, audit trail, billing logic. These are the cross-cutting foundations that touch every function — and retrofitting them is among the most expensive migrations there is.
DORA's 2024 Accelerate State of DevOps Report shows the principle: what stays stable and fast builds on clean foundations, not on retrofitting them later.
Four foundations that belong at the start
1. Tenant separation
Which data belongs to which organization — and is that boundary technically enforced, not just filtered? Tenant separation is not a feature but the foundation. Built wrong it is a data-protection and trust incident (see Software architecture for SMEs).
2. Roles and permissions per record
Not "admin or not" but fine-grained: who may do what with which record in which organization. The OWASP Top 10 list broken access control as the most common severe risk — in a platform with many organizations it is the core.
3. Audit trail from day one
Who changed or approved what and when? Without a traceable log a B2B platform is neither auditable nor trustworthy — and adding audit later means losing history.
4. Billing as product logic
Plans, limits, usage tiers, failed payments, organization switches: billing is its own logic, not a button at the end. Whoever adds it late builds it twice.
Data protection is platform architecture
Several organizations, their users, their data, their documents: purpose limitation, deletability and processing agreements are architecture topics in a B2B platform, not footer sentences. For SMEs, GDPR here is a precondition.
The most common mistake: building a platform like an app
Whoever builds a platform like a bigger app — users instead of organizations, filters instead of a tenant boundary, a role instead of a permission model — gets a system that tips over at the third customer organization. Connection to existing systems (see API integration for companies) makes it worse if the boundaries are wrong.
Checklist before the B2B platform
- Is the tenant boundary technically enforced, not just filtered?
- Are roles and permissions modeled per record, not per page?
- Is there an audit trail from day one?
- Is billing planned as its own product logic?
- Are purpose limitation and deletability in the architecture?
- Are we building a platform (organizations), not an app (users)?
- Is the first cut small but on the right foundations?
Frequently asked questions
What is the difference between a B2B app and a B2B platform? An app has many users, a platform many organizations with their own boundaries, roles and billing. That changes the architecture fundamentally.
Can we retrofit tenant separation later? Technically yes, but it is one of the most expensive and riskiest migrations. Early is dramatically cheaper here.
Do we need all foundations right away? Not in depth, yes in the foundation. The first cut may be small but must stand on the right boundaries, permissions and audit.
What is the biggest risk? Broken access control: one organization sees another's data. Not a bug but a trust and data-protection incident.
Conclusion
A B2B platform wins not through features but through tenant separation, fine-grained permissions, audit and clean billing logic — from the start. Whoever builds it like an app pays for the foundations twice later; whoever plans it as a platform scales from organization two to two hundred.
Further reading
- Software Architecture for SMEs: Planning to Scale — tenant boundaries and permissions as the foundation.
- API Integration for Companies: Connecting ERP, CRM, Webshop and Excel — connection when the platform boundaries are right.
Next step
You're planning a B2B platform and don't want to build the foundations twice? Start with a short assessment of your requirements. We cut a small first slice on the right tenant, permission and audit foundations.
Sources
- OWASP, Top Ten Web Application Security Risks — owasp.org
- European Commission, Do the GDPR rules apply to SMEs? — commission.europa.eu
- DORA, Accelerate State of DevOps Report 2024 — dora.dev