Abstract: Managing access to data, including storing a database that includes fields; encrypting data of all or some fields of the database using an application encryption algorithm; receiving data indicating user-specific data access roles and user-specific data permissions for each of the user-specific data access roles, each of the user-specific data permissions defining a subset of the data of the database that the corresponding user-specific data access role has authorization for decrypting the subset of the data; receiving a user token representing credentials and user-specific data access roles of an authorized user, wherein the user token is generated by the access rights system; receiving a query for requested data stored by the database; comparing the user-specific data access role of the user token with the user-specific data access roles of the access rights system to identify user-specific data permissions for the user-specific data access role of the user token.