Hello all,

I made some fairly sweeping changes in our instance recently around access control rules, roles, groups, group membership etc, following the introduction of new resolver groups and change management functions in our organisation.

I followed standard practice in adding roles to Access controls, adding the roles to groups, and then adding the users to groups (no roles associated directly with users... ie always roles & users added independently to the groups).

But I've found that some users have been unable to access the fields and records I had expected them to be able to access. The issue has been easily resolved by removing the user from all groups and then re-adding them to the same groups. So the before state and afterwards states are the same - equivalent to the old 'switch it off and back on again' trick. It's as if the rules somehow did not 'take' the first time the user was added to the group. I wondered if anyone else has experienced this kind of issue, and is there a set of best practices to follow in terms of precise order the various elements are applied, eg always add users to a group before the roles, or always add the roles to the group before the users, or always add roles to the AC before adding the roles to the group? Or, should the order make no difference?

Thanks for any pointers.