Another one on the best practice / bad practice topic. Working with custom security roles this time.

We have an option to start configuring a new Security Roles from an existing role. You might be tempted to do that, thinking it’ll save you time and minimize the potential for missing something. But, there’s a problem with that approach. In order to create a new role, you should be spending pretty much the same amount of time to create one from scratch versus a Save Create New (Yes, that’s what it’s called, would have been better named Save As for consistency).

The security roles work as a collective, meaning, the user will have all the permissions enabled in all security roles assigned to him/her. Thus, when you create a new Security Role based on Salesperson let’s say (or any other existing role), creating a new role with only permissions to a new custom entity and assigning the user the new role and the Salesperson role is the same as creating a copy of the Salesperson role in which you add permission to the new custom entity. So, what’s cleaner? One custom role with a mix of permissions from two roles, or two separate roles that complement each other? I would argue that two roles are cleaner, as you can simply remove and replace one at any time without too much impact. Let’s say, later the user moves into a customer service role within the organization, and now needs permission to customer service and the new entity. If you took the two roles approach rather than one comprehensive role, now you can easily remove the Salesperson role, leave the custom role in place, and add the Customer Service Representative role. Alternatively, with one comprehensive role, you would have to go back and create a new custom role. See how this creates more work for you?

Also, one other aspect, starting from an existing role when creating a new custom role brings along permissions to a lot of other elements on the platform. Does the new role really need these permissions? Most likely not all of them. But because of time constraints, some of us at certain times tend to just add the needed permissions and leave the rest as is. That’s a NO-NO!

Lesson

1. When configuring security roles, if you start from an existing role, make sure to clean-up all the unneeded permissions.

2. When creating new security roles, think of how they complement existing and other custom roles. More granularity might seem like more work upfront, but that could save you grief down the road.

Action item

Have you seen this before? Have you done this before? Do you have any feedback? Leave a comment below!