When you design an application, it is an audit and security risk to give all users access to every function.
But, there are two ways to set user access—and one of them is much better.
1. Direct user settings - For each user, you enable system settings, such as limits and access.
2. User Groups - Settings are done at the group level, and users are assigned to a group.
In my 30 years of experience, I have seen both types of applications. From both an administrative and a security/audit point of view, the group option is always best.
Apps should be designed so that new groups can be created/modified/deleted, and users are never directly assigned any settings.
As the number of settings becomes complex, the group model is even more important. It is easier to track one group for each user, then having to track multiple settings per user.
For example, if you have 30+ different settings and, for a user, you need to temporarily give them a higher level of permission for one function, it is easy to forget to set the value back, and hard for auditing to catch it.
However, if you create a new group, with "temp until XX/XX/XXXX" in the name, set the permission here, and change the user's group to this new group, it is much easier to track.
© 2019 Praveen Puri
Strategic Simplicity®: Praveen Puri helps clients identify the key changes that result in dramatic improvement. Visit PuriConsulting.com
