Q: What’s a Role? Do they even matter?
Do they even matter? If your organization, by default, has all objects set to public read/write, then no, they don’t matter at all!
But that isn’t a likely scenario. Most organizations (especially those past a certain size) must seriously consider who has access to what. As much for the privacy of their customers as for the well-being of their employees and business processes.
So, we’ve established that roles matter, at least for the vast majority of implementations. Add to that the fact that they’re a widely misunderstood, mismanaged, or at the very least underutilized part of the security and access matrix, and we have fodder for a useful conversation!
Roles are not Profiles
They need to be used in tandem, but they’re not the same at all! Let’s use a metaphor, probably a bad metaphor, but I’ll let you decide.
Let’s presuppose a family of 5, two parents and three children. Let’s create three profiles, “Adult,” “Young Adult,” and “Adolescent.” Along with our three profiles, let’s create three roles, and for the sake of making them distinguishable in name, we will call them “Parent,” “17 and Up,” and “16 and Under.”
Now let’s step aside for a moment before we start assigning these profiles and roles to our family members. I’ll insert the smallest amount of social commentary to mention that in the USA, we have some pretty odd rules about when someone can drive, when someone can drink alcohol, and when someone can watch “R” rated movies. If you’re not familiar, we will use the relatively standard values (they vary a bit by state, I think) of 16 to drive, 17 to watch “R” movies, and 21 to drink alcohol.
Our two parents are in their late-forties, so they can do it all! But the children of this family are 15, 16, and 17. As such, the 15-year old can’t do any of the above activities, the 16-year old can only drive, and the 17-year old can both drive and watch “R” movies, but cannot yet drink alcohol. Are we still all following along with this metaphor?
Let’s make a table to make this more clear, for you visual learners.
|40+ (Mom, Dad)||✓||✓||✓|
|17 (Kid A)||✓||✓|
|16 (Kid B)||✓|
|15 (Kid C)|
Okay, now that that’s very clear, let’s assign some Profiles.
|40+ (Mom, Dad)||Adult||✓||✓||✓|
|17 (Kid A)||Young Adult||✓||✓|
|16 (Kid B)||Adolescent||✓|
|15 (Kid C)||None|
- The “Adult” profile gives access to Drive, “R” Movies, and Alcohol.
- The “Young Adult” profile gives access to Drive and “R” Movies
- The “Adolescent” profile gives access to Drive
- Kid C doesn’t even get a profile, or for that matter a user record in our “Family Salesforce,” because he or she wouldn’t have access to anything!
As the youngest in my own family, I felt Kid C’s pain.
So again, all of this so far is controlled solely by profiles, we haven’t introduced any roles and we can already see who can drive, who can watch “R” movies, and who can drink alcohol.
Enter Roles and Ownership
Now let’s expand the metaphor — parents and two children can drive, sure, but if we have multiple cars, which do we want them to have access to? Additionally, Kid A can watch “R” rated movies, but maybe there’s a subset of movies which this family’s parents aren’t sure they are comfortable with Kid A watching.
Let’s focus on cars. We’ll assume that the enterprising children of this family saved up from their summer jobs in high school and bought ugly but reliable cars, maybe someone even ended up with a champagne colored Honda station wagon with stained seats (maybe I’m speaking from experience).
This means that in this family, we have 4 cars. Mom, Dad, Kid A, and Kid B all own their own cars. Let’s assign roles now, then explain what we’ve done.
Here’s the hierarchy:
- 17 and Up
- 16 and Under
- 17 and Up
And here’s how they’ll be assigned:
|17||Young Adult||17 and Up||✓||✓|
|16||Adolescent||16 and Under||✓|
The hierarchy grants access to records owned by subordinates (those below in the hierarchy). So…
- “Parent” can see all records, since they’re at the top
- “17 and Up” can see 16 and Under’s records but they can’t see Parent’s records
- “16 and Under” can only see their own, they’re at the bottom
What does this mean in our car example? Well it means that parents can drive any car at any time, but their children can never borrow their cars. 17 and Up must share his car with his parents, but never with his younger sibling. 16 and Under, despite owning his own car, is at the mercy of his parents and older sibling who may decide to borrow it whenever they please.
This is how the role hierarchy works, and simultaneously how it differs from profiles. Profiles give you access to objects (like “Car”), whereas roles give you access to records of those objects (like “Shitty Gold 1995 Honda Wagon”), and restrict access to other records of those same objects (like “Mom’s expensive BMW X3”).
Okay, that was a lot for one day but hopefully was useful. Let’s adjourn class for now.
That’s all, cheers! Check out the other Conversations here.