Roles and ACL structure - Implement personas on group level, or on role level?

Max Nowak · ‎11-18-2024

Hi,

I'm curious if there are any best practices regarding how to structure roles and ACLs (and to an extend, the groups they're attached to).

Do you use one role for a persona, which contains multiple ACLs (for example, an admin persona has exactly one role, "customtable_admin", which contain full CRUD ACLs), or do you use multiple roles that basically correspond to ACLs ("customtable_create", "customtable_update", ...) and attach all of those roles to the "customtable_admin" group?

Here's a drawing to illustrate my point:

I can see advantages and disadvantages for both approaches:

- The "Persona implemented via roles"-approach results in less roles and ensures that any person or group receiving the "custom_table.admin" role will actually receive all required permissions. On the flipside, it probably requires more preparation and planning, and changes require a deployment.

- The "Persona implemented via groups"-approach results in more roles, and provides more flexibility. On the other hand, it seems a bit unorganized to me, and if you wanted to create a new group, you'd need to make sure that every role that's required is attached to it.

What are your thoughts on this?

Anurag Tripathi · ‎11-18-2024

Hey Max,

Good topic, id love to hear what others say here.

I have used personas and honestly I'm not a big fan. There are lot of scenarios where 1 group needs Role X and you end up either giving the role to persona(then all group with that persona has the role for no reason) or create a new Persona(whole new persona for no reason and duplicate group/members to get the new persona) or as the group to live without it.

Service now is build on Roles to control access and even the new products following the same. I advocate sticking to roles unless I see ServiceNow pushing for personas and changing the product as a whole to make it more persona friendly.

-Anurag