This is more of a discussion really because I don't think there is a right answer, but I wanted to hear some thoughts.
Where I work, I am asked to manage a role-based AD. We create roles for each job or function in the org and then we drop the required security groups into that role. When a person is hired, we simply ask what role that person fits into, drop them into the role, and he or she has all he or she needs to do his or her job.
- note: I am dropping the he/she thing! That's a pain!
So, we have 20 people and 50 roles. As a result, we have people in more than one role. In some cases, we have a person in five or six roles.
My thinking is you create roles to fit the people, so I only want 20 roles and a person should only be in one role. You might have several people in a role, but a person will only be in one role. I can apply security groups to the role that provide all the resource access that role needs.
Now, if we decide to hire someone and I find that I need to split a role, I can create a new role, drop in the new person, and move the applicable security groups to that role and I'm done. At no point will I need to put one person into more than one role.
I'm getting push back. I am being asked why I don't create a role for every function and just drop the person performing that function into more than one role.
My argument is if I'm going to drop one person into more than one role, I may as well drop one person into more than one security group! The whole idea about roles, at least for me, is one in, one out. I don't have to remember what roles that person is in, I only have to know ONE role that person is in.
So, share your thoughts please.
Multiple roles and one person in more than one role?
Roles built around the people and one role per person?