Common Mistakes to Avoid
This guide covers the most frequent mistakes made when managing users, groups, roles, and permission scopes, along with practical solutions to fix and prevent them.
Mistake 1: Over-Permissioning
The Problem
Role: "Everyone Gets Everything"
├── Permissions: ALL 100+ enabled
├── Scopes: ALL attached to every permission
├── Members: 500+ users
└── Result: No access control at all
Why It's Bad
| Issue | Impact |
|---|---|
| Security risk | Unauthorized access to sensitive data |
| Audit nightmare | Impossible to track who did what |
| Compliance violation | Fails principle of least privilege |
| Privacy concerns | Everyone sees everything about everyone |
| Performance | Large scopes slow down queries |
How to Fix
Step 1: Identify actual job requirements
└── What does each role REALLY need?
Step 2: Create function-specific roles
└── HR Manager, Team Leader, Employee, etc.
Step 3: Enable only required permissions
└── Start with zero, add what's needed
Step 4: Assign appropriate scopes
└── Start with N-1 (default)
Step 5: Expand scopes only with justification
└── Document why broader access is needed
Step 6: Regular access reviews
└── Quarterly permission audits
Good Alternative
Instead of one "Super Admin" role:
├── HR Manager role (HR permissions only)
├── Finance Manager role (Finance permissions only)
├── System Admin role (limited to 2-3 users only)
└── Employee role (basic permissions for everyone)
Each role:
├── Has only necessary permissions
├── Uses N-1 scope by default
└── Is documented with justification
Mistake 2: Scope Proliferation
The Problem
Permission Scopes list:
├── HR Team
├── HR Team Paris
├── HR Team Paris Active
├── HR Team Paris Active 2024
├── HR Team Paris Q1
├── HR Team Copy
├── HR Team (New)
├── HR Team - Use This One
└── ... 100+ similar scopes
Why It's Bad
| Issue | Impact |
|---|---|
| Confusion | No one knows which scope to use |
| Inconsistency | Same users in different scopes |
| Maintenance burden | Can't keep all scopes updated |
| Clutter | List becomes unusable |
| Audit complexity | Hard to verify who has access |
How to Fix
Step 1: Identify canonical scope per logical group
└── One "HR Department" scope, not 10 variants
Step 2: Merge duplicates into authoritative scope
└── Combine populations from all duplicates
Step 3: Update all permissions to use canonical scope
└── Review each role's scope assignments
Step 4: Delete redundant scopes
└── Clean up after migration
Step 5: Establish naming convention
└── Prevent recurrence with clear rules
Good Alternative
One scope per logical boundary:
├── HR Department (all HR globally)
├── HR - EMEA (regional HR)
├── HR - France (country HR)
└── HR - Paris Office (local HR)
Benefits:
├── Clear hierarchy
├── One authoritative source
├── Easy to maintain
└── Simple to understand
Mistake 3: Empty Groups and Scopes
The Problem
Group: "Project Alpha Team"
├── Members: 0 (project ended 2 years ago)
├── Roles: 3 assigned (still active!)
├── Last updated: Never
└── Status: Abandoned
Scope: "Temporary Contractors 2022"
├── Members: 0 (contracts ended)
├── Used by: 5 permissions (still linked!)
└── Status: Forgotten
Why It's Bad
| Issue | Impact |
|---|---|
| Cluttered lists | Hard to find active items |
| Stale role assignments | Roles assigned to nothing |
| Audit confusion | Appears active but isn't |
| Maintenance debt | Accumulates over time |
| Misleading counts | Reports include dead entities |
How to Fix
Immediate Actions:
├── Delete or archive empty groups/scopes
├── Remove role assignments from empty entities
├── Document reason for deletion
└── Update any references
Ongoing Prevention:
├── Set up quarterly cleanup process
├── Add "last reviewed" date tracking
├── Alert on groups with 0 members
├── Calendar reminders for temporary items
└── Assign cleanup owner for each entity
Prevention Strategy
When creating temporary groups/scopes:
1. Add end date to description
└── "Project Phoenix - expires December 2024"
2. Set calendar reminder to review
└── 2 weeks before expected end
3. Assign cleanup owner
└── Someone responsible for deletion
4. Use dynamic membership when possible
└── Auto-removes when criteria no longer match
Mistake 4: Role Duplication
The Problem
Role list:
├── HR Manager
├── HR Manager (Copy)
├── HR Manager - New
├── HR Manager - Fixed
├── HR Manager - Final
├── HR Manager - Final v2
├── HR Manager - USE THIS ONE
└── HR Manager - CURRENT
Why It's Bad
| Issue | Impact |
|---|---|
| Confusion | Which role is correct? |
| Inconsistency | Different permissions in "same" role |
| Maintenance | Updates miss some copies |
| Audit failure | Can't verify access accurately |
| User frustration | Users assigned to wrong copy |
How to Fix
Step 1: Identify the authoritative role
└── Which one has the correct permissions?
Step 2: Compare permissions across all copies
└── Document differences
Step 3: Merge all users to authoritative role
└── Move populations from duplicates
Step 4: Delete duplicate roles
└── Remove after migration complete
Step 5: Establish role creation governance
└── Approval required for new roles
Prevention Process
Role Creation Governance:
1. Check if role already exists
└── Search before creating
2. Check if existing role can be extended
└── Maybe just add a scope?
3. Get approval before creating new role
└── Security/HR review
4. Use standard naming convention
└── Follow established patterns
5. Document role purpose
└── Why does this role exist?
Mistake 5: Missing Manager Hierarchy
The Problem
User: John Doe
├── Job Title: Senior Developer
├── Department: Engineering
├── Status: Active
├── Manager: (empty) ← Problem!
├── Groups: Engineering Team
└── Effect: Invisible to everyone
Why It's Bad
| Issue | Impact |
|---|---|
| Broken N-1 scope | User invisible to managers |
| Orphaned user | No one responsible for this person |
| Workflow issues | Approval chains don't work |
| Data integrity | Incomplete organizational structure |
| Access gaps | Can't be seen in team views |
How to Fix
Immediate Fix:
├── Assign correct manager
├── If top-level, assign CEO as manager
├── Verify user appears in manager's N-1 view
└── Test access workflows
Systematic Prevention:
├── Run weekly report of users without managers
├── Make manager field required on creation
├── Alert when manager is removed or leaves
├── Review during monthly audits
└── Include in onboarding checklist
Manager Hierarchy Rules
Manager Assignment Requirements:
Every user MUST have a manager except:
├── CEO (optional: set as own manager or system)
└── System/service accounts (use admin as manager)
Manager changes must trigger:
├── Immediate update to user's manager field
├── Verification of N-1 visibility
├── Update of any direct role assignments
├── Notification to new manager
└── Transfer of pending approvals
Mistake 6: Incorrect Scope Assignment
The Problem
Role: "Finance Manager"
Permission: "Read financial reports"
Scope: "Engineering Department" ← Wrong scope!
Result:
├── Finance Manager CAN see Engineering team (wrong!)
├── Finance Manager CANNOT see Finance team (broken!)
└── Completely inverted access
Why It's Bad
| Issue | Impact |
|---|---|
| Permission doesn't work | Users can't do their job |
| Wrong visibility | See data they shouldn't |
| User frustration | "My permission doesn't work" |
| Security gap | Wrong people have access |
| Trust issues | Undermines access control |
How to Fix
Step 1: Audit all scope assignments
└── Review each permission's scopes
Step 2: Verify scope matches permission purpose
└── Does the scope make sense?
Step 3: Correct misaligned scopes
└── Assign appropriate scopes
Step 4: Test with actual users
└── Verify access works correctly
Verification Checklist
For each permission with a scope:
□ Does scope match permission function?
Example: "Read user info" + "HR Dept" = HR can see HR ✓
□ Is scope population current?
└── Contains right people?
└── No departed employees?
└── Dynamic rules working?
□ Has scope been tested?
└── User with this role tested visibility?
└── Edge cases checked?
Mistake 7: Not Using Scopes When Needed
The Problem
Creating 50 role variants instead of using scopes:
├── HR Manager - Paris
├── HR Manager - London
├── HR Manager - Berlin
├── HR Manager - Madrid
├── HR Manager - Amsterdam
├── HR Manager - Rome
├── HR Manager - Stockholm
├── HR Manager - Dublin
└── ... 45 more city-specific roles
All with IDENTICAL permissions, just different visibility!
Why It's Bad
| Issue | Impact |
|---|---|
| Role explosion | 50 roles instead of 1 |
| Maintenance nightmare | Update 50 roles for any change |
| Inconsistency | Permissions drift between copies |
| Complexity | Hard to understand system |
| Audit burden | Review 50 roles, not 1 |
The Solution: Use Scopes
Correct approach:
1 Role: "HR Manager"
├── Permission: Read user information
│ └── Scope varies by user:
│ ├── Marie → "Paris Office" scope
│ ├── John → "London Office" scope
│ └── Hans → "Berlin Office" scope
Result:
├── 1 role instead of 50
├── Consistent permissions across all
├── Easy to update (change once, applies to all)
├── Clear scope assignments
└── Simple to audit
When to Use Scopes vs New Roles
Use SCOPE when:
├── Same permissions, different visibility
├── Geographic variations (Paris vs London)
├── Departmental variations (HR for Engineering vs Sales)
└── Team-level variations
Use NEW ROLE when:
├── Different permissions needed
├── Fundamentally different job function
├── Different access level (read vs write)
└── Security classification differs
Mistake 8: Ignoring Inactive Users
The Problem
User: Former Employee
├── Status: Inactive
├── Roles: Administrator, HR Manager, Finance Viewer
├── Groups: Executive Team, All Access, Finance Leadership
├── Scopes: Executive Compensation, Confidential HR
├── Last Login: 18 months ago
└── Still has access to everything!
Why It's Bad
| Issue | Impact |
|---|---|
| Security risk | Account could be compromised |
| Compliance failure | Fails access control audits |
| License cost | May count toward user licenses |
| Clutter | Appears in member lists |
| Misleading metrics | Population counts include departed |
How to Fix
Proper Offboarding Process:
1. Set status to Inactive
└── Immediately on departure
2. Remove ALL role assignments
└── No roles should remain
3. Remove from ALL user groups
└── Check every group membership
4. Remove from ALL permission scopes
└── Check every scope population
5. Document departure date and reason
└── Audit trail
6. Keep profile for historical records
└── Don't delete, just deactivate
Automated Monitoring
Weekly Reports to Generate:
├── Inactive users with roles assigned
│ └── Should be zero
├── Inactive users in groups
│ └── Should be zero
├── Users inactive > 90 days
│ └── Review for status change
├── Users who never logged in
│ └── Investigate and clean up
├── Active users with no manager
│ └── Fix hierarchy
Mistake 9: Circular Group References
The Problem
Group A: "Engineering Team"
├── Members include: Group B (via group-based membership)
Group B: "Product Team"
├── Members include: Group A (via group-based membership)
Result: Infinite loop!
├── System may crash
├── Performance degradation
├── Unexpected members
└── Impossible to audit
How to Fix
Prevention:
├── System should block circular references
├── Always check before adding group-based members
├── Document group relationships
└── Regular audit of group dependencies
If Detected:
├── Identify the circular chain
├── Remove one direction of reference
├── Consider manual membership instead
└── Re-evaluate group structure
Mistake 10: Bulk Scope Overwrite Without Checking
The Problem
Scenario:
├── Select 10 permissions
├── Click "Manage Permission Scopes"
├── Add "Engineering Department" scope
├── Click Confirm
What happened:
├── Previous scopes on ALL 10 permissions: DELETED
├── Only "Engineering Department" remains
├── Other scopes like "HR Team", "Finance" are GONE
└── Users lost access unexpectedly
Why It's Bad
| Issue | Impact |
|---|---|
| Data loss | Previous scope assignments gone |
| Access disruption | Users lose permissions |
| Unexpected behavior | "I didn't mean to delete those" |
| Recovery difficulty | Must remember and re-add manually |
How to Avoid
Before Bulk Scope Operations:
1. Document current scopes
└��── Screenshot or note existing assignments
2. Select ONLY permissions that should change
└── Be precise in selection
3. Understand: Bulk = REPLACE, not ADD
└── This is how the system works
4. If adding to existing:
└── Do individual scope assignments instead
5. After bulk change:
└── Verify expected scopes are present
└── Re-add any that were removed unintentionally
Mistake Summary Table
| # | Mistake | Quick Fix | Prevention |
|---|---|---|---|
| 1 | Over-permissioning | Apply least privilege | Role design governance |
| 2 | Scope proliferation | Consolidate to canonical | Naming conventions |
| 3 | Empty groups/scopes | Delete unused entities | Quarterly cleanup |
| 4 | Role duplication | Merge to single role | Approval process |
| 5 | Missing manager | Assign correct manager | Required field validation |
| 6 | Incorrect scope | Verify scope matches function | Testing before deploy |
| 7 | Not using scopes | Use scopes instead of roles | Training on scope usage |
| 8 | Ignoring inactive | Remove all access on departure | Offboarding checklist |
| 9 | Circular references | Remove one direction | System validation |
| 10 | Bulk scope overwrite | Document before changes | Individual updates |
Prevention Checklist
Before Creating a New Entity
User Group:
□ Does similar group already exist?
□ Is the name clear and descriptive?
□ Have you added localization (en + fr)?
□ Who will maintain this group?
□ Is it temporary or permanent?
Role:
□ Can existing role be used/extended?
□ Is role name descriptive and consistent?
□ Are permissions documented with justification?
□ Is principle of least privilege applied?
□ Who approved this new role?
Permission Scope:
□ Does similar scope already exist?
□ Is boundary clearly defined?
□ Who manages the population?
□ Is this temporary or permanent?
□ What permissions will use this scope?
Regular Maintenance Schedule
Weekly:
□ Review new access requests
□ Check for anomalies in assignments
□ Verify new user manager assignments
Monthly:
□ Audit group memberships
��□ Remove departed employees
□ Check for empty entities
□ Verify dynamic rules are working
Quarterly:
□ Full role permission review
□ Scope usage audit
□ Clean up unused items
□ Documentation update
Annually:
□ Complete access certification
□ Policy review and update
□ Training refresher for admins
□ System configuration review
Navigation
- Previous: Best Practices
- Next: Use Cases
- Back to: Documentation Index