Role-based security model in Active Directory

This is more of a discussion really because I don't think there is a right answer, but I wanted to hear some thoughts.

Where I work, I am asked to manage a role-based AD.  We create roles for each job or function in the org and then we drop the required security groups into that role.  When a person is hired, we simply ask what role that person fits into, drop them into the role, and he or she has all he or she needs to do his or her job.

- note: I am dropping the he/she thing!  That's a pain!

So, we have 20 people and 50 roles.  As a result, we have people in more than one role.  In some cases, we have a person in five or six roles.

My thinking is you create roles to fit the people, so I only want 20 roles and a person should only be in one role.  You might have several people in a role, but a person will only be in one role.   I can apply security groups to the role that provide all the resource access that role needs.  

Now, if we decide to hire someone and I find that I need to split a role, I can create a new role, drop in the new person, and move the applicable security groups to that role and I'm done.  At no point will I need to put one person into more than one role.

I'm getting push back.  I am being asked why I don't create a role for every function and just drop the person performing that function into more than one role.

My argument is if I'm going to drop one person into more than one role, I may as well drop one person into more than one security group!  The whole idea about roles, at least for me, is one in, one out.  I don't have to remember what roles that person is in, I only have to know ONE role that person is in.

So, share your thoughts please.  

Multiple roles and one person in more than one role?


Roles built around the people and one role per person?


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph MoodyBlogger and wearer of all hats.Commented:
I prefer Multiple roles and one person in more than one role. But I don't have to manage your AD environment. :)

The reason I prefer that route is I can see exactly what permissions are delegated to each user by looking at their member of tab. For example, I will have a role name Delegation - User Account Creation. Another named Delegation - Password Reset. A pain to setup at first but very easy to manage afterwards.
I'm with Joseph more roles the more granular the control
Will SzymkowskiSenior Solution ArchitectCommented:
I'm getting push back.  I am being asked why I don't create a role for every function and just drop the person performing that function into more than one role.

The more roles you have as stated already the more granular you can get. The problem with only having 1 role per users (in your case) is that you said that multiple people have multiple different roles. Sometimes you will also need to apply SPECIFIC roles to another user, well how can you do that if these roles are not separated? You can't.

For Example.
Jon Smith (Accounting and Marketing Roles/Access)
Joe Smith (Office Admin)

Joe needs access to Marketing info. You provide him with the same access (using the 1 security group you created for Jon) and now Joe has access to Marketing and also Accounting information as well. This is a Security Concern.

Another tip as well I ALWAYS like to keep Distribution Groups and Security Groups completely separated.
Mail Enabled Security Groups have their place but I would recommend staying away from them if you do not need to use them.

Reason why is the following...
Jon is doing a project for Accounting and Joe needs to be part of this project as well because some tasks are required from Joe. If you have a Mail Enabled Security Group you add Joe to this group so that he receives Project updates, but he now has access security permissions to everything that this mail enabled security group has access to. Which is another security risk.

If you have the following...
Accounting - Security
Accounting - Distribution

This would have been avoided by adding Joe to the Accounting - Distribution Group.

Ultimately it really comes down to your business needs/requirements as well. Only you can make the most appropriate decision regarding this. Everyone else can only provide there experiences.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
crp0499CEOAuthor Commented:
Will, as usual, detailed, well thought out and well worded response.  Thanks to all three.  I'm moving over to the multi-role, people in more than one role side of the pond.
glad to have helped a little
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.