Service Desk Practitioners Forum
cancel
Showing results for 
Search instead for 
Did you mean: 

Which role structure is best? Hierarchical or not.

SOLVED
Go to solution
Highlighted
Tommy Koronen_1
Regular Collector

Which role structure is best? Hierarchical or not.

We're currently looking into changing our role structure. The current structure is hard to manage, and doesn't reflect the real roles needed.

I can see three possible basic role structures.
I'll use some simple roles as an example.
Anybody: Can only view Changes
Change handler: Can view/create/modify changes
Change manager: Can view/create/modify changes, and manage templates.


1) Pure hierachical role structure.
===================================
The user normally belongs to one role, and get all their permissions etc from child roles.

The example roles are defined like this:
"Change manager" role:
**** Access: Template
**** Child role: "Change handler"
"Change handler" role:
**** Access: New + Modify
**** Child role: "Anybody"
"Anybody" role:
**** Access: View
**** Child role: -

A person needing Change handler access would belong to the "Change handler" role.

2) Flat role structure, with basic roles.
=========================================
The users belong to multiple roles. Every role add to the permissions for the user.

The example roles are defined like this:
"Change manager" role:
**** Access: Template
**** Child role: -
"Change handler" role:
**** Access: New + Modify
**** Child role: -
"Anybody" role:
**** Access: View
**** Child role: -

A person needing Change handler access would belong to the "Change handler" and "Anybody" roles.

3) Flat role structure, with complete roles.
============================================
One role per user. Every role defines the full set of permissions for the user.

The example roles are defined like this:
"Change manager" role:
**** Access: View + New + Modify + Template
**** Child role: -
"Change handler" role:
**** Access: View + New + Modify
**** Child role: -
"Anybody" role:
**** Access: View
**** Child role: -

A person needing Change handler access would belong to the "Change handler" role.

Which one is the best?
1) Is easy to manage, a modification that should affect all users only has to be added to the "Anybody" role. But how's the performance? Any other issues?
2) Has the same manageability benefit as the previous model. But the administrator have to keep track of all roles a person should belong to when adding new users.
3) Management nightmare? Best performance?


Do you have any comments/experiences to share?
5 REPLIES
Saurabh Dubey
Honored Contributor
Solution

Re: Which role structure is best? Hierarchical or not.

Hi Tommy,

First I should congratulate you on defining the cases so well.

Now my thoughts:

1. This structure is easy to manage for the helpdesk, if you have a well defined roles definition in your organization. This means that a particular role can be a super-role to ehat other roles is similar to the heirarchy followed in the organization.
The fault in this rule is: If you need a layman-specialist model (someone who should be able to do things not defined for a particular role), you need to create an extra role for the person.

2. Flat with Basic roles - this role structure is very good if you can define the elementary roles in a HCF (highest common factor) model. What i mean to say here, is that the the individual roles are complex enough to have no more/no less combinations than required for all the possible roles that you may get into. If you can define that, this is the ideal role structure.

3. This is a very basic model, which is equivalent to having the atomic form of the previous one, hence it's definitely simple to understand, yet very difficult to manage.

My recommendation - Case 2. - WHY??

1. It is just enough to manage. Performance will be better than the third case. You will avoid the issues that can come up with Heirarchy in case you have assigned some permission to a role and a super-role need not require the permission.
2. For a use case scenario, we have been using something similar to that. And of course, the administrator needs to know the roles - that's why he/she is there.
3. Management is simpler than the other two methods.

I don't think that performance will vary that much from a system load perspective for any of the options.


Hope that helps...

Regards,

Saurabh
Modesty is good!! But remember, all your life other people will try and take your achievements away from you, don't make it easy for them.
Marc Hummel
Frequent Visitor

Re: Which role structure is best? Hierarchical or not.

Hello,

quickie: performance shouldn't be an issue unless you are talking WAN, at that point it would be pipe size issue.

- Roles: I have a role layed out for each item type (generic high level role) I have 6 additional roles set up, support levels 1-3, management, reporting, view only for customers.

- as access is needed, add functionality to break out roles.

- status and folder entitlement will have an effect if you are going to use this feature.

- example so if tech a is 1st level he has full access to all work orders (when assigned to workgroup), service requests (when assigned to workgroup), persons anytime, etc...

I would use a white board, and visually draw out what it is you need, your structure in other words, put roles next to what you have drawn out and determine which ones you can combine or if more are needed.

Yes, some administration WILL be necessary no matter what schema for roles you determine.

I have a dummy account set up that I assign new roles to to test before implementation in prod. This helps a lot.

hth a little.
Marc
Wounds heel, Pain fades... chix dig scar's, oh and everybody WangChung.
Oguz Kutlu Asi
Honored Contributor

Re: Which role structure is best? Hierarchical or not.

Hi,

It's been always a challenge to define roles. I think that number 2 is the best way, but it requires a role modeling work done (gathering information using an survey application or by having meetings with people) to extract roles and the entitlements that people have in common. If you have too many users, it can be considered piece of work which will take much time.
But after role modeling done, it's easier to manage roles that way than others.
What's right is right, whether or not God exists
Ken Briscoe
Honored Contributor

Re: Which role structure is best? Hierarchical or not.

HI - this is always a big issue. As above I usually try to go with Option 2, but Marc's idea is very interesting.
Typically, I create two base roles - Service Desk and Specialist. Then "additive" roles for Change Manager, Problem Manager, COnfig Mgr etc. In the additive roles, every field is read only, no forms/templates etc defined.... EXCEPT for the entity to which it refers.
Eg Change Manager gets Specialist + Change Manager Roles.
SO Change Mgr role itself would only have field/form/template/view access for Change entity...and maybe Projects. I think it gets worse in V5 because there are more entities, and Workspaces as well. more fun.
My email is kenilian@bigpond.com.au
Robert S. Falko
Honored Contributor

Re: Which role structure is best? Hierarchical or not.

We, too, have found solution 2 to be the most practical.

Hierarchical roles are problematic because they are extremely difficult to debug; they generally do not correspond to the reality (which is often relational rather than hierarchical); and because your ability to manage default views and forms becomes hopelessly blurred.

-Josh
//Add this to "OnDomLoad" event