GlobalTech Corporation - RBAC Use Case Documentation
Executive Summary
This document describes the comprehensive Role-Based Access Control (RBAC) implementation for GlobalTech Corporation, a fictional software company with 63 employees. The system demonstrates enterprise-grade access control through four interconnected pillars: User Groups, Roles, Visibility Groups, and Permission Scopes.
Table of Contents
- Company Overview
- Organizational Structure
- The Four Pillars of Access Control
- User Groups
- Roles
- Visibility Groups
- Permission Scopes
- How Components Work Together
- Use Case Examples
- Design Principles
- Technical Implementation
Company Overview
GlobalTech Corporation is a software development company headquartered in San Francisco, California, with a globally distributed workforce across 12 countries.
Company Profile
| Attribute | Value |
|---|---|
| Industry | Software Development |
| Headquarters | San Francisco, CA |
| Total Employees | 63 |
| Active Employees | 60 |
| Countries | 12 |
| Departments | 8 |
Geographic Distribution
- North America: San Francisco (HQ), Austin, Seattle, Denver, New York, Toronto
- Europe: London, Berlin, Paris, Amsterdam
- Asia Pacific: Singapore, Sydney
Organizational Structure
Executive Leadership
David Thompson
CEO
|
┌─────────────────┼─────────────────┐
│ │ │
Sarah Martinez Michael Johnson Harper Thompson
COO CTO VP Sales
│ │ │
Operations Technology Sales
Division Division Division
Department Breakdown
| Division | Department | Head | Team Size |
|---|---|---|---|
| Technology | Engineering | James Brown (VP) | 35 |
| Technology | Architecture | Leo Green (Principal) | 8 |
| Technology | QA | Olivia Rodriguez | 5 |
| Technology | Security | Nathan Thomas | 4 |
| Technology | Data | Ella Walker | 2 |
| Operations | Product | Sophia Davis | 2 |
| Operations | Design | Chloe Nelson | 3 |
| Operations | HR | Emma Williams | 5 |
| Operations | Marketing | Victoria Morris | 1 |
| Operations | Finance | Penelope Bailey | 1 |
| Sales | Sales | Harper Thompson | 3 |
Career Tracks
GlobalTech supports dual career ladders:
Management Track
Individual Contributor → Team Lead → Manager → Director → VP → C-Level
Individual Contributor Track
Engineer → Senior Engineer → Staff Engineer → Principal Engineer → Distinguished Engineer
The Four Pillars of Access Control
The GlobalTech RBAC system is built on four interconnected pillars that work together to provide comprehensive access control:
┌───────────────────────��──────────────────────────────────────────────┐
│ GLOBALTECH ACCESS CONTROL MODEL │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐│
│ │ USER │ │ ROLES │ │ VISIBILITY │ │ PERMISSION ││
│ │ GROUPS │ │ │ │ GROUPS │ │ SCOPES ││
│ ├─────────────┤ ├─────────────┤ ├─────────────┤ ├─────────────┤│
│ │ WHO belongs │ │ WHAT they │ │ WHOSE data │ │ WHAT actions││
│ │ together │ │ can do │ │ they see │ │ on what data││
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘│
│ │ │ │ │ │
│ └────────────────┴────────────────┴────────────────┘ │
│ │ │
│ ┌─────────▼─────────┐ │
│ │ ACCESS DECISION │ │
│ │ ENGINE │ │
│ └───────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
Pillar Definitions
| Pillar | Purpose | Question Answered |
|---|---|---|
| User Groups | Team membership and organizational belonging | "Who belongs together?" |
| Roles | Capability definitions and permissions | "What can they do?" |
| Visibility Groups | Data access populations | "Whose data can they see?" |
| Permission Scopes | Action definitions on data types | "What actions on what data?" |
User Groups
Overview
User Groups represent organizational units, project teams, talent programs, and cross-functional collaborations. They define WHO belongs together for various purposes.
Total Groups: 29
Group Categories
1. Executive & Leadership (2 groups)
| Group | Members | Purpose |
|---|---|---|
| Executive Leadership Team | 5 | C-Suite strategic coordination |
| Senior Leadership | 13 | VPs, Directors, key decision-makers |
2. Technology Division (10 groups)
| Group | Members | Purpose |
|---|---|---|
| Backend Engineering | 4 | API, services, data layer |
| Frontend Engineering | 4 | UI, UX implementation |
| DevOps & Infrastructure | 4 | CI/CD, cloud, reliability |
| Platform & Architecture | 8 | System design, standards |
| QA & Testing | 5 | Quality assurance |
| Security Team | 4 | Security operations |
| Data Engineering | 3 | Data pipelines, analytics |
| Mobile Development | 4 | iOS, Android apps |
| AI/ML Team | 4 | Machine learning |
| All Engineering | 35 | Complete engineering org |
3. Operations Division (6 groups)
| Group | Members | Purpose |
|---|---|---|
| Product Management | 3 | Product strategy |
| Design Team | 3 | UX/UI design |
| Human Resources | 5 | HR operations |
| Marketing | 2 | Marketing activities |
| Finance & Accounting | 1 | Financial operations |
| Customer Success | 2 | Customer relationships |
4. Sales Division (1 group)
| Group | Members | Purpose |
|---|---|---|
| Sales Team | 3 | Revenue generation |
5. Cross-Functional Groups (2 groups)
| Group | Members | Purpose |
|---|---|---|
| Product Development | 50 | Eng + Product + Design collaboration |
| All People Managers | 22 | Management community |
6. Regional Groups (4 groups)
| Group | Members | Purpose |
|---|---|---|
| San Francisco HQ | 27 | Headquarters employees |
| EMEA Region | 8 | Europe, Middle East, Africa |
| APAC Region | 3 | Asia Pacific |
| Americas | 40 | North & South America |
7. Talent Development Programs (4 groups)
| Group | Members | Purpose |
|---|---|---|
| High Potential Employees | 8 | Future leaders |
| Technical Leadership Track | 12 | Technical career path |
| New Hire Cohort Q4 2024 | 5 | Recent hires |
| Mentorship Program | 15 | Mentors and mentees |
User Group Data Structure
interface UserGroup {
id: number;
name: LocalizedString; // { en: string, fr: string }
description?: LocalizedString;
category: string;
numberOfMembers: number;
users: User[]; // First 2 members shown
roles: Role[]; // Associated roles
createdBy?: User;
createdAt: string;
}
Roles
Overview
Roles define WHAT capabilities users have within the system. They represent job functions, responsibilities, and access levels.
Total Roles: 26
Role Hierarchy
┌─────────────────────────────────────────────────────────────────┐
│ ROLE HIERARCHY │
├─────────────────────────────────────────────────────────────────┤
│ │
│ Level 1 - Administrative │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ System Administrator│ │ HR Administrator │ │
│ │ (2 members) │ │ (4 members) │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ │
│ Level 2 - Executive │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ C-Level Executive │ │ VP/Director │ │
│ │ (5 members) │ │ (8 members) │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ │
│ Level 3 - Management │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ People Manager │ │ Team Lead │ │
│ │ (22 members) │ │ (14 members) │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ │
│ Level 4 - Technical Specialists │
│ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ │
│ │Staff/Prin.│ │ Senior │ │ Engineer │ │Specialist │ │
│ │(5 members)│ │(12 member)│ │(25 member)│ │ (varies) │ │
│ └───────────┘ └───────────┘ └───────────┘ └───────────┘ │
│ │
│ Level 5 - Business & HR │
│ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ │
│ │ Product │ │ Design │ │ Sales │ │ HR │ │
│ │ Manager │ │ │ │ │ │ │ │
│ └───────────┘ └───────────┘ └───────────┘ └───────────┘ │
│ │
│ Level 6 - General Access │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ Employee │ │ Viewer │ │
│ │ (60 members) │ │ (3 members) │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
Role Categories
Administrative Roles (2)
| Role | Members | Capabilities |
|---|---|---|
| System Administrator | 2 | Full platform access, configuration |
| HR Administrator | 4 | Full HR module access |
Executive Roles (2)
| Role | Members | Capabilities |
|---|---|---|
| C-Level Executive | 5 | Strategic view, all employee data |
| VP/Director | 8 | Department-wide access |
Management Roles (2)
| Role | Members | Capabilities |
|---|---|---|
| People Manager | 22 | Direct reports access, performance |
| Team Lead | 14 | Team access without HR admin |
Technical Roles (7)
| Role | Members | Capabilities |
|---|---|---|
| Staff/Principal Engineer | 5 | Architecture decisions, code review |
| Senior Engineer | 12 | Technical leadership, mentoring |
| Engineer | 25 | Development, implementation |
| Security Specialist | 4 | Security operations |
| Data Specialist | 5 | Data management |
| QA Specialist | 5 | Quality assurance |
| DevOps Specialist | 4 | Infrastructure, deployment |
Business Roles (6)
| Role | Members | Capabilities |
|---|---|---|
| Product Manager | 2 | Product strategy, roadmap |
| Designer | 3 | UX/UI design |
| Sales Representative | 3 | Customer sales |
| Marketing Specialist | 1 | Marketing activities |
| Finance Specialist | 1 | Financial operations |
| Customer Success | 1 | Customer relationships |
HR Roles (2)
| Role | Members | Capabilities |
|---|---|---|
| HR Business Partner | 2 | Department HR support |
| Recruiter | 1 | Hiring process |
General Roles (2)
| Role | Members | Capabilities |
|---|---|---|
| Employee | 60 | Basic self-service access |
| Viewer | 3 | Read-only access |
Special Program Roles (3)
| Role | Members | Capabilities |
|---|---|---|
| High Potential | 8 | Leadership development resources |
| Mentor | 6 | Mentorship tools |
| Interviewer | 15 | Candidate assessment |
Role Data Structure
interface Role {
id: number;
name: LocalizedString;
members: number;
users: User[];
creationDate: string;
}
Visibility Groups
Overview
Visibility Groups control WHOSE data a user can see. This is distinct from what actions they can perform (permissions). They answer the question: "Given my role, whose employee records can I access?"
Total Visibility Groups: 30
Visibility Group Categories
Executive Visibility (4 groups)
| Group | Population | Purpose |
|---|---|---|
| CEO - All Employees | 63 | Full company visibility |
| CTO - Technology Division | 45 | All tech employees |
| COO - Operations Division | 15 | All operations employees |
| VP Sales - Sales Division | 3 | All sales employees |
HR Visibility Scopes (4 groups)
| Group | Population | Purpose |
|---|---|---|
| HR - All Active Employees | 60 | HR team full visibility |
| Recruiter - Candidates & New Hires | 12 | Hiring pipeline |
| HRBP - Engineering | 45 | Engineering HR support |
| HRBP - Operations & Sales | 18 | Ops/Sales HR support |
Engineering Management Visibility (10 groups)
| Group | Population | Purpose |
|---|---|---|
| VP Engineering - All Engineering | 35 | Engineering leadership |
| Backend Engineering Manager | 3 | Backend team visibility |
| Frontend Engineering Manager | 3 | Frontend team visibility |
| DevOps Engineering Manager | 3 | DevOps team visibility |
| Platform & Architecture Team | 8 | Architecture team |
| QA Engineering Team | 5 | QA team |
| Security Team | 4 | Security team |
| Data Engineering Team | 2 | Data team |
| Mobile Engineering Team | 3 | Mobile team |
| AI/ML Team | 3 | AI/ML team |
Regional Visibility (5 groups)
| Group | Population | Purpose |
|---|---|---|
| US - San Francisco HQ | 27 | HQ employees |
| US - Other Locations | 10 | Other US locations |
| EMEA Region | 8 | Europe/Middle East/Africa |
| APAC Region | 3 | Asia Pacific |
| Americas Region | 40 | All Americas |
Talent Program Visibility (4 groups)
| Group | Population | Purpose |
|---|---|---|
| High Potential Program | 8 | HiPo participants |
| Leadership Development Program | 10 | Leadership development |
| Technical Leadership Track | 12 | Tech leadership path |
| New Hire Onboarding | 5 | New employees |
Cross-Functional Visibility (3 groups)
| Group | Population | Purpose |
|---|---|---|
| Product Development Cross-Functional | 50 | Eng + Product + Design |
| All People Managers | 22 | Management community |
| Interview Panel | 15 | Authorized interviewers |
Cascading Visibility Model
┌─────────────────────────────────────────────────────────────┐
│ CASCADING VISIBILITY MODEL │
├─────────────────────────────────────────────────────────────┤
│ │
│ CEO (David Thompson) │
│ └── Visibility: ALL 63 employees │
│ │ │
│ ├── CTO (Michael Johnson) │
│ │ └── Visibility: 45 Technology employees │
│ │ │ │
│ │ └── VP Engineering (James Brown) │
│ │ └── Visibility: 35 Engineering employees│
│ │ │ │
│ │ ├── Backend Manager │
│ │ │ └── Visibility: 3 reports │
│ │ │ │
│ │ └── Frontend Manager │
│ │ └── Visibility: 3 reports │
│ │ │
│ └── COO (Sarah Martinez) │
│ └── Visibility: 15 Operations employees │
│ │ │
│ └── HR Director (Emma Williams) │
│ └── Visibility: ALL 60 active employees │
│ │
└─────────────────────────────────────────────────────────────┘
Visibility vs. Permissions
| Concept | Visibility Groups | Permission Scopes |
|---|---|---|
| Question | WHOSE data? | WHAT actions? |
| Example | "See my 5 direct reports" | "Edit performance reviews" |
| Scope | People/records | Actions/operations |
| Combination | Must have BOTH visibility AND permission |
Visibility Group Data Structure
interface VisibilityGroup {
id: number;
name: LocalizedString;
description?: LocalizedString;
numberOfMembers: number;
createdBy?: User;
createdAt: string;
selected?: boolean;
}
Permission Scopes
Overview
Permission Scopes define WHAT actions users can perform on WHAT types of data. They work in conjunction with Visibility Groups to determine effective access.
Total Permission Scopes: 40
Permission Categories
1. Employee Data Permissions (6 scopes)
| Permission | Description | Typical Roles |
|---|---|---|
| View Own Profile | Self-service profile access | All employees |
| Edit Own Profile | Update personal information | All employees |
| View Direct Reports | See subordinate profiles | Managers |
| Edit Direct Reports | Update subordinate data | Managers + HR |
| View Department Employees | Department-wide visibility | Directors |
| View All Employees | Organization-wide access | Executives, HR |
2. Performance Management (7 scopes)
| Permission | Description | Typical Roles |
|---|---|---|
| View Own Goals | See personal objectives | All employees |
| Edit Own Goals | Create/update own goals | All employees |
| Manage Team Goals | Handle team objectives | Managers |
| View Performance Reviews | Access review history | Self, Managers |
| Conduct Performance Reviews | Write reviews | Managers |
| Access Calibration | Calibration sessions | HR, Executives |
| Admin Performance | Configure performance system | HR Admin |
3. Compensation (5 scopes)
| Permission | Description | Typical Roles |
|---|---|---|
| View Own Compensation | See personal comp | All employees |
| View Team Compensation | See direct reports comp | Managers |
| Propose Compensation Changes | Recommend adjustments | Managers |
| Approve Compensation | Final approval authority | Directors, HR |
| Admin Compensation | Configure comp system | HR Admin |
4. Learning & Development (5 scopes)
| Permission | Description | Typical Roles |
|---|---|---|
| View Learning Catalog | Browse available courses | All employees |
| Enroll in Courses | Self-enroll in training | All employees |
| Assign Training | Assign training to others | Managers |
| Create Learning Content | Develop training materials | L&D Team |
| Admin Learning | Configure L&D system | HR Admin |
5. Talent Management (4 scopes)
| Permission | Description | Typical Roles |
|---|---|---|
| View High Potentials | See HiPo designations | HR, Executives |
| Manage Succession Plans | Update succession | HR, Executives |
| Access Talent Reviews | People review data | HR, Executives |
| Admin Talent | Configure talent system | HR Admin |
6. Recruitment (7 scopes)
| Permission | Description | Typical Roles |
|---|---|---|
| View Job Postings | Browse open positions | All employees |
| Manage Job Postings | Create/edit postings | Recruiters, Managers |
| View Candidates | Access candidate profiles | Interviewers |
| Review Applications | Evaluate applicants | Hiring Managers |
| Conduct Interviews | Interview candidates | Interviewers |
| Make Offers | Extend job offers | HR, Directors |
| Admin Recruitment | Configure ATS | HR Admin |
7. Administration (6 scopes)
| Permission | Description | Typical Roles |
|---|---|---|
| System Configuration | Platform settings | System Admin |
| User Management | Create/modify users | System Admin, HR |
| Role Management | Configure roles | System Admin |
| Org Structure Management | Update org hierarchy | HR Admin |
| Report Generation | Create reports | Managers, HR |
| Data Export | Export data | Restricted roles |
Permission Matrix Example
┌────────────────────────────────────────────────────────────────────────────┐
│ PERMISSION MATRIX BY ROLE │
├────────────────────────────────────────────────────────────────────────────┤
│ │
│ Permission │ Employee │ Manager │ Director │ HR Admin │ CEO │
│ ─────────────────────────────────────────────────────────────────────────│
│ View Own Profile │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
│ Edit Own Profile │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
│ View Direct Reports │ - │ ✓ │ ✓ │ ✓ │ ✓ │
│ Edit Direct Reports │ - │ ✓ │ ✓ │ ✓ │ ✓ │
│ View All Employees │ - │ - │ - │ ✓ │ ✓ │
│ Conduct Perf Reviews │ - │ ✓ │ ✓ │ ✓ │ - │
│ Access Calibration │ - │ - │ ✓ │ ✓ │ ✓ │
│ View Team Compensation │ - │ ✓ │ ✓ │ ✓ │ ✓ │
│ Approve Compensation │ - │ - │ ✓ │ ✓ │ ✓ │
│ Admin Compensation │ - │ - │ - │ ✓ │ - │
│ View High Potentials │ - │ - │ ✓ │ ✓ │ ✓ │
│ Manage Succession │ - │ - │ - │ ✓ │ ✓ │
│ System Configuration │ - │ - │ - │ - ��│ - │
│ │
└────────────────────────────────────────────────────────────────────────────┘
Permission Scope Data Structure
interface PermissionScope {
id: number;
name: LocalizedString;
description?: LocalizedString;
category: string;
level: 'read' | 'write' | 'admin';
applicableRoles: number[]; // Role IDs
createdAt: string;
}
How Components Work Together
Access Decision Flow
┌─────────────────────────────────────────────────────────────────────┐
│ ACCESS DECISION FLOW │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ USER REQUEST: "View employee performance review" │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────┐ │
│ │ Step 1: Identify User's Roles │ │
│ │ • Primary Role: People Manager │ │
│ │ • Additional: Team Lead, Interviewer │ │
│ └─────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────┐ │
│ │ Step 2: Check Permission Scopes │ │
│ │ • "View Performance Reviews" → YES │ │
│ │ • Role has this permission │ │
│ └─────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────┐ │
│ │ Step 3: Determine Visibility Groups │ │
│ │ • Backend Engineering Manager → 3 people│ │
│ │ • Can see: Alice, Bob, Charlie │ │
│ └─────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────┐ │
│ │ Step 4: Apply Access Decision │ │
│ │ • CAN view performance reviews │ │
│ │ • ONLY for Alice, Bob, Charlie │ │
│ │ • CANNOT see other employees' reviews │ │
│ └─────────────────────�────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────┐ │
│ │ RESULT: Access Granted (Limited Scope) │ │
│ └─────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
Component Relationships
┌─────────────────────────────────────────────────────────────────────┐
│ COMPONENT RELATIONSHIPS │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ │
│ │ USER │ │
│ │ (Employee) │ │
│ └──────┬───────┘ │
│ │ │
│ ┌─────────────────┼─────────────────┐ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ │
│ │ USER GROUPS │ │ ROLES │ │ VISIBILITY │ │
│ │ │ │ │ │ GROUPS │ │
│ │ • Backend Team │ │ • Sr Engineer │ │ • Manager View │ │
│ │ • HiPo Program │ │ • Team Lead │ │ • Dept View │ │
│ │ • SF Location │ │ • Interviewer │ │ • Program View │ │
│ └────────┬───────┘ └────────┬───────┘ └────────┬───────┘ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ┌────────────────┐ │ │
│ │ │ PERMISSION │ │ │
│ │ │ SCOPES │ │ │
│ │ │ │ │ │
│ │ │ • View Reviews │ │ │
│ │ │ • Edit Goals │ │ │
│ │ │ • Assign Train │ │ │
│ │ └────────┬───────┘ │ │
│ │ │ │ │
│ └──��───────────────┼─────────────────┘ │
│ │ │
│ ▼ │
│ ┌───────────────────────┐ │
│ │ EFFECTIVE ACCESS │ │
│ │ │ │
│ │ WHAT + WHOSE = ACCESS │ │
│ └───────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
Use Case Examples
Example 1: Engineering Manager
Profile: William Garcia - Backend Engineering Manager
Access Configuration:
- User Groups: Backend Engineering, All Engineering, All People Managers, San Francisco HQ
- Roles: People Manager, Senior Engineer, Interviewer
- Visibility Groups: Backend Engineering Manager (3 direct reports)
- Permission Scopes: View/Edit direct reports, conduct performance reviews, manage team goals, view team compensation, assign training, view candidates
Scenario: William wants to review compensation for his team during annual planning.
Access Decision:
- ✅ Has "View Team Compensation" permission
- ✅ Visibility limited to his 3 direct reports
- ✅ Can see compensation data for: Alice, Bob, Charlie
- ❌ Cannot see compensation for other teams
Example 2: HR Business Partner
Profile: Amelia Jackson - HRBP for Engineering
Access Configuration:
- User Groups: Human Resources, All People Managers
- Roles: HR Business Partner, HR Administrator
- Visibility Groups: HRBP - Engineering (45 employees)
- Permission Scopes: View all employees in scope, conduct calibration, access talent reviews, view/propose compensation, manage succession plans
Scenario: Amelia needs to prepare for the engineering calibration session.
Access Decision:
- ✅ Has "Access Calibration" permission
- ✅ Visibility includes all 45 engineering employees
- ✅ Can see performance data for entire engineering division
- ❌ Cannot see Operations or Sales data (different HRBP)
Example 3: Individual Contributor
Profile: Samuel Edwards - Software Engineer
Access Configuration:
- User Groups: Backend Engineering, High Potential Employees, Mentorship Program
- Roles: Engineer, High Potential
- Visibility Groups: None (self only)
- Permission Scopes: View/edit own profile, view/edit own goals, view own compensation, enroll in courses
Scenario: Samuel wants to see team performance ratings.
Access Decision:
- ❌ No "View Direct Reports" permission
- ❌ No visibility group beyond self
- ✅ Can only see his own performance data
- ❌ Request denied - insufficient access
Example 4: Cross-Functional Access
Profile: Sophia Davis - VP Product
Access Configuration:
- User Groups: Product Management, Product Development Cross-Functional, Executive Leadership
- Roles: VP/Director, Product Manager
- Visibility Groups: Product Development Cross-Functional (50 employees)
- Permission Scopes: View department employees, view performance reviews, access talent reviews
Scenario: Sophia needs to identify high-performing engineers for a new initiative.
Access Decision:
- ✅ Has "View Performance Reviews" permission
- ✅ Cross-functional visibility includes Eng + Product + Design
- ✅ Can see performance data for 50 employees in product development
- ✅ Can identify top performers across the collaboration scope
Design Principles
1. Principle of Least Privilege
Every user receives the minimum access necessary for their job function. Access is granted based on need, not convenience.
Implementation:
- Default role is "Employee" with basic self-service
- Additional permissions granted explicitly per role
- No blanket "all access" except for System Admin
2. Separation of Duties
Critical functions are divided among multiple roles to prevent fraud and errors.
Implementation:
- HR can propose compensation, but executives approve
- Recruiters can manage candidates, but hiring managers make offers
- Managers conduct reviews, but HR administers calibration
3. Need-to-Know Basis
Data visibility is limited to those who need it for their responsibilities.
Implementation:
- Visibility Groups explicitly define population access
- Managers see only their reports (not peer teams)
- HRBPs assigned to specific divisions (not all employees)
4. Role-Based Over User-Based
Access is assigned through roles, not directly to individuals.
Implementation:
- All permissions flow through roles
- User-role assignment is the only direct relationship
- Changing roles automatically updates access
5. Audit-Ready Design
All access decisions can be traced and explained.
Implementation:
- Every visibility group has a clear business purpose
- Permission scopes document applicable roles
- User groups track membership and creation
6. Scalability
The model supports organizational growth without restructuring.
Implementation:
- New employees inherit access through role assignment
- New teams get their own user groups and visibility
- Regional expansion adds new visibility groups
7. Compliance Support
Design supports common regulatory requirements.
Implementation:
- GDPR: Data minimization through visibility groups
- SOX: Separation of duties in compensation/hiring
- Privacy: Self-service limited to own data
Technical Implementation
Data Files
| File | Location | Contents |
|---|---|---|
mockUsers.ts | src/data/ | 63 employee personas |
mockUserGroups.ts | src/data/ | 29 user groups |
mockRoles.ts | src/data/ | 26 roles |
mockVisibilityGroups.ts | src/data/ | 30 visibility groups |
mockPermissionScopes.ts | src/data/ | 40 permission scopes |
Type Definitions
// Core Types
interface LocalizedString {
en?: string;
fr?: string;
}
interface User {
id: number;
username: string;
avatar?: string;
// ... additional fields
}
// Access Control Types
interface UserGroup {
id: number;
name: LocalizedString;
description?: LocalizedString;
category: string;
numberOfMembers: number;
users: User[];
roles: Role[];
createdBy?: User;
createdAt: string;
}
interface Role {
id: number;
name: LocalizedString;
members: number;
users: User[];
creationDate: string;
}
interface VisibilityGroup {
id: number;
name: LocalizedString;
description?: LocalizedString;
numberOfMembers: number;
createdBy?: User;
createdAt: string;
selected?: boolean;
}
interface PermissionScope {
id: number;
name: LocalizedString;
description?: LocalizedString;
category: string;
level: 'read' | 'write' | 'admin';
applicableRoles: number[];
createdAt: string;
}
Integration Points
- User Management UI: Lists users with their group memberships and roles
- Role Management UI: Configures roles with permission scopes
- Visibility Group UI: Defines data access populations
- Access Control Engine: Evaluates access requests at runtime
Summary
The GlobalTech Corporation RBAC implementation demonstrates a comprehensive, enterprise-grade access control system. By separating concerns across four pillars—User Groups, Roles, Visibility Groups, and Permission Scopes—the system provides:
- Fine-grained control: Precise management of who can do what with whose data
- Scalability: Easy to extend as the organization grows
- Auditability: Clear documentation of all access decisions
- Compliance: Support for privacy and security regulations
- Maintainability: Role-based approach simplifies administration
This model serves as a reference implementation for HR talent management systems requiring sophisticated access control.
Document Information
| Attribute | Value |
|---|---|
| Created | November 2024 |
| Company | GlobalTech Corporation (Fictional) |
| Purpose | RBAC Reference Implementation |
| Version | 1.0 |