Organizing Users and Groups

Context

Given the potential and flexibility of the user management feature, it is possible to develop solutions capable of addressing any business need. The cost of this flexibility is that it also becomes possible to develop solutions that are difficult to understand and maintain.

Proposal

The best way to achieve an easy solution that is adapted to the business needs is to follow the following steps:

1. Create a minimum set of usage profiles suited to the different sets of features that you intend to assign to groups.
2. Create an equally minimum set of groups that the manager of each department can then assign to users according to their roles.
3. At the same time and in order to facilitate the assignment of features to users, it is convenient to maintain two disjoint sets - i.e., without common elements - of groups:
   • Organizational groups - This type of groups usually matches the company hierarchy but they can have subdivisions that are used by different departments. Organizational groups later make it easy to find many users with similar profiles. It is advisable that each user belongs to one and only one of these groups so that it is easy to add or remove functional groups later on. Another recommendation is that organizational groups should not have profiles/permissions assigned to them. These will always be assigned to users through functional groups.
   • Functional groups - These groups are normally created in accordance to the different types of permissions that can be assigned in sets. These groups should be as few as possible - as long as this does not jeopardize the readability of each group' s permissions.

In order to make the type of group in question understandable, we recommend that organizational groups always include the prefix ORG and that functional groups always include the prefix FUNC in their name, followed by the domain name of the associated features.

Examples of organizational groups

• ORG Accounting
• ORG Sales Management
• ORG Sales Area Operations

In the above examples you can see that a user in the Sales Department with an Operations account should only belong to the group ORG Commercial Area Operations. If the user is a sales manager, he should only belong to the ORG Sales Management group.

Examples of functional groups

• FUNC USERS Query
• FUNC USERS Administration
• FUNC INVOICES Issuing
• FUNC INVOICES Query
• FUNC INVOICES Control

In the examples included above, the naming of the groups makes it easy to conclude that the first two groups refer to business roles related to user management, while the remaining groups are related to billing activities.

Based on the same examples, we can easily select all users belonging to the Sales Department and assign them the functional group FUNC INVOICES Query. Similarly, we can also select all users belonging to the ORG Sales Management group and assign them the FUNC INVOICES Control group.

Finally, if we want to set up two users with special permissions that require both invoice control and user management features, we must search for both of them - preferably according to a common criteria, or otherwise by searching directly by their usernames - and then assign them to the FUNC INVOICES Control and FUNC USERS Management groups.