We have fallen into this trap where a user has received more access than they should have. So some mechanism could be great to manage users / groups (Account Team". I am thinking if there was a “Copy an existing user” feature when creating new users. This may be useful? In other words once a user has been created for an entity and has been assigned certain access / permission, that user could be copied / cloned to a new username.
In some cases we have admin / account users with access to multiple entities… Not sure what thoughts there will be on this? It could dangerous also to be fair this process is not, (in our case) a daily occurrence.
I agree with this idea. It also makes it easier when setting up users that have similar rights. One does not have to go through all the list of permission assigning them one by one.
Implementation
Since roles are already there. We can as a community propose default roles. These roles will then be coded into the program with the option to add or remove permissions
Administrator Role - will remain the same
Restricted user role - this role can the be further split as per my suggestion above.
In my opinion, We can have Role option inside a business settings.
Once a role is created, say Accountant - we can have similar functionality how we are selecting permissions now for users. Then in settings user permissions we will connect the user to this business Role. Either he can be from existing Role or custom like one which we have now.
In this way. User can we connected to multiple business. And if the user is in restricted access either role of that business can be selected or custom select.
We actually use applications with multi-tier permissions as requested here. If anything things get less secure and far more complicated when using groups. It is better as is in Manager even though requiring a bit more work but you know exactly what permissions a specific user got. In my view the more granular you try to go the more open you will be to abuse.
As a past SAP database national administrator with a large corporation for over 14 years, one of my responsibilities was to ensure the security of user access and their privileges.
In my experience, the instances of multi-tier permissions “abuse” was minimal. Of course, how well this works depends on the culture of the business, and that they have a robust privilege assignment procedure together with management’s adherence to that procedure.