Roles are often a bit nebulous in smaller organizations, but we find it is more important than you might think to organize permissions into roles.


Traditionally, resources have been assigned to individual users, as follows:


Resource 1 -> User A

Resource 2 -> User A

Resource 3 -> User A


This is problematic for multiple reasons:

  1. When a User B joins the organization to replace User A, who has moved to a new position, we have to try to go through all the various resources to see which ones User A was assigned, and then assign them to User B.  This is much easier said that done, and usually it leads to days/weeks/months of discovering things that User B needs but doesn't have access to.  This obviously is inefficient and a very poor experience for User B.
  2. When User A has been with the organization for 20 years, and served in 5+ roles, we have no way to know WHY User A has access to Resources 1-3 - are they all necessary for her current role?
  3. Similarly to #2, as User A moves from role to role within the organization, it is a security risk (and messy) to leave resources available that were previously necessary, but are no longer.


Thus we introduce the concept of "roles":


Resource 1 -> Role X

Resource 2 -> Role X

Resource 3 -> Role Y

Resource 4 -> Role Z


Role X -> User A

Role Y -> User A

Role Z -> User B


Frequently in smaller organizations, we find that users may hold one or more "roles" for short or long-term.  As people leave, join, get promoted, etc, these roles change.  Instead of being mutually exclusive, roles are additive.  By setting things up in this way, it's easy to accomplish the following progression:

  1. "User B" gets promoted to a new role, but they continue to hold "Role Z" during a transition period.
  2. "User A" gets promoted to start training for "Role Z", but keeps "Role Y" and "Role X" while a new employee is being hired/trained.
  3. "User C" joins the organization and starts taking over "Role X" for User A.  Both User A and User C have "Role X" for now.
  4. As "User B" and "User A" get trained in their new positions, they eventually drop their old Roles.


Each step gets accomplished with 1-2 small changes by the administrators.  No changes are made in individual file/printer/email/distribution group permissions, and nobody has to "guess" what the new person might need to get their job done.  Each user always has the permissions and access they need - nothing more, nothing less.