SmartVista has a robust access security model based on the concepts of password protection, Institution ID, and User Roles. Users log in to the system via SmartVista GUI forms and their access is then controlled at two tiers: user rights are validated first at the user form level, to check that the user is allowed to access the desired GUI functionality, then at the database level, to see if the user is authorised to run the Oracle procedures and functions that deliver this functionality. To rule out any possibility of unauthorised data manipulation, application users may not access database tables directly, bypassing the preconfigured API's (Application Programming Interfaces) to Oracle procedures and functions for which the database access rights are assigned programmatically.

The SmartVista User Roles rely on Oracle User Roles as an underlying mechanism but add a number of features to control access to SmartVista applications and to facilitate the user role administration and management. The system comes complete with a set of Base User Roles, such as System Administrator, Issuer Supervisor, Acquirer Operator, Dispute Officer, etc., that can be mixed and matched to define a Composite User Role for each group of users or even an individual user. Once a Base Role is changed, the changes will apply to all users to whom it has been assigned and also to all users with a Composite Role that includes this Base Role.

Users may also be created under other users, to inherit their access rights. However, once such "child" users are activated, they will no longer inherit any changes to the "parent" user access rights, so if the parent is assigned a different user role, the child user will retain their original role.