Real-World Use Cases
This guide provides detailed real-world scenarios demonstrating how to effectively use the User Management System for common business situations.
Use Case 1: Onboarding a New HR Business Partner
Scenario
Marie Dupont joins as HR Business Partner supporting the Engineering department. She needs to:
- View all Engineering employee profiles (beyond her direct reports)
- Manage objectives for her own direct reports only
- Access performance reviews for Engineering employees
- Have basic employee access like everyone else
Step-by-Step Implementation
Step 1: Create User Profile
Navigate: Users module → Click "Create User"
Create user with:
├── First Name: Marie
├── Last Name: Dupont
├── Email: marie.dupont@company.com
├── Job Title: HR Business Partner - Engineering
├── Manager: Jean Martin (HR Director)
├── Status: Active
├── Location: Paris, France
├── Company Entry Date: [Today's date]
└── Click "Create"
Step 2: Add to User Groups
Navigate: User Groups module
Add to groups:
├── "HR Team" (department group)
│ └── Click "Add Members" → Search "Marie Dupont" → Select → Confirm
├── "Paris Office" (location group)
│ └── Same process
└── "HR Business Partners" (function group)
└── Same process
Result: Marie inherits roles from these groups automatically
Step 3: Assign HR Business Partner Role
Navigate: Roles module → Find "HR Business Partner" → Click to open
Go to Population tab:
├── Click "Add Members"
├── Search "Marie Dupont"
├── Select checkbox
└── Click "Confirm"
Result: Marie now has HR BP permissions
Step 4: Configure Permission Scopes for Engineering
Navigate: Roles module → "HR Business Partner" → Permissions tab
For "Read user information" permission:
├── Click "Scope" button (shows "N-1 (default)")
├── In modal, search "Engineering Department"
├── Check the scope
├── Click "Add 1 group"
├── Click "Confirm"
Repeat for other permissions:
├── "Read user skills" → Add "Engineering Department" scope
├── "Read reviews" → Add "Engineering Department" scope
├── "Read objectives" → Add "Engineering Department" scope
Leave as N-1 (no scope change):
├── "Update objectives" → N-1 (her direct reports only)
├── "Update user" → N-1 (her direct reports only)
Final Result
User: Marie Dupont
├── Status: Active
├── Manager: Jean Martin (HR Director)
├── Groups: HR Team, Paris Office, HR Business Partners
├── Role: HR Business Partner
└── Effective Access:
├── Read user information → Engineering Dept (50 people) + N-1
├── Read user skills → Engineering Dept + N-1
├── Read reviews → Engineering Dept + N-1
├── Read objectives → Engineering Dept + N-1
├── Update objectives → N-1 only (her 2 direct reports)
└── Update user → N-1 only
Use Case 2: Setting Up a Cross-Functional Project Team
Scenario
A new strategic project "Phoenix" needs a team from multiple departments:
- 4 Engineers
- 3 Designers
- 3 Marketing specialists
- 2 Product Managers
Team members need to see each other's objectives and profiles to collaborate effectively.
Step-by-Step Implementation
Step 1: Create Permission Scope
Navigate: Permission Scopes module → Click "Create scope"
Create scope:
├── Name (EN): "Project Phoenix Team"
├── Name (FR): "Équipe Projet Phoenix"
├── Description: "Cross-functional team for Project Phoenix initiative"
└── Click "Create"
Step 2: Add Population to Scope
Navigate: Scope detail → Population section → Click "Add Members"
Switch to Manual tab:
├── Search and select team members:
│ ├── Engineering: Alice Chen, Bob Wilson, Carol Davis, David Lee
│ ├── Design: Eve Brown, Frank Miller, Grace Taylor
│ ├── Marketing: Henry Adams, Iris Wang, Jack Thompson
│ └── Product: Karen Smith, Leo Martinez
├── All 12 selected
└── Click "Confirm"
Step 3: Create User Group for Easy Management
Navigate: User Groups module → Click "Create group"
Create group:
├── Name (EN): "Project Phoenix Team"
├── Name (FR): "Équipe Projet Phoenix"
├── Description: "Members of Project Phoenix initiative"
└── Click "Create"
Add same 12 members to group:
├── Click "Add Members"
├── Select all 12 team members
└── Confirm
Step 4: Create Project Contributor Role
Navigate: Roles module → Click "Create role"
Create role:
├── Name (EN): "Project Contributor - Phoenix"
├── Description: "Can view and update project objectives for Phoenix team"
└── Click "Create Role"
Configure Permissions:
├── Go to Permissions tab
├── Expand "Objective" category
│ ├── Enable "Read objectives"
│ │ └── Add scope: "Project Phoenix Team"
│ ├── Enable "Update objective"
│ │ └── Add scope: "Project Phoenix Team"
├── Expand "User" category
│ ├── Enable "Read user information"
│ │ └── Add scope: "Project Phoenix Team"
│ ├── Enable "Read user skills"
│ │ └── Add scope: "Project Phoenix Team"
└── Leave other permissions deactivated
Step 5: Assign Role to Team
Navigate: Role detail → Population tab → Click "Add Members"
Option A: Add group:
├── Switch to "From Group" tab
├── Select "Project Phoenix Team" group
└── Confirm
Option B: Add individuals:
├── Search and select all 12 members
└── Confirm
Final Result
Project Phoenix Setup:
├── Permission Scope: "Project Phoenix Team" (12 members)
│ └── Population: Alice, Bob, Carol, David, Eve, Frank,
│ Grace, Henry, Iris, Jack, Karen, Leo
├── User Group: "Project Phoenix Team" (12 members)
│ └── Same population (for easy management)
├── Role: "Project Contributor - Phoenix"
│ └── Permissions scoped to project team only
└── Effect: All 12 members can:
├── See each other's profiles
├── See each other's skills
├── Read each other's objectives
└── Update each other's objectives
(But NOT see anyone outside the project team)
Use Case 3: Expanding Regional Manager Visibility
Scenario
Hans Mueller is promoted to EMEA Regional Manager. He needs to:
- See all employees across EMEA (France, Germany, UK, Spain, Italy)
- Manage objectives for all EMEA teams
- Access performance reviews region-wide
- Approve time off for EMEA employees
Previously he only had visibility to Germany (his home country).
Step-by-Step Implementation
Step 1: Verify or Create Regional Scope
Navigate: Permission Scopes module → Search "EMEA"
If "EMEA Region" exists:
├── Open scope detail
├── Verify population includes all EMEA countries
├── Add any missing employees
└── Proceed to Step 2
If not exists, create:
├── Click "Create scope"
├── Name (EN): "EMEA Region"
├── Name (FR): "Région EMEA"
├── Description: "All employees in Europe, Middle East, and Africa"
├── Click "Create"
└── Add population (~500 EMEA users)
Step 2: Add Population Using Dynamic Rules
Navigate: Scope detail → Population → Click "Add Members" → Dynamic tab
Create rule:
├── Section 1 (AND):
│ ├── Location IN ("France", "Germany", "United Kingdom", "Spain", "Italy")
│ └── Status = "Active"
└── Click "Apply"
Result: All active EMEA employees automatically included
(Membership updates as employees join/leave EMEA)
Step 3: Update Hans's User Profile
Navigate: Users module → Search "Hans Mueller"
Update profile:
├── Job Title: EMEA Regional Manager
│ (was: Germany Country Manager)
├── Manager: Global VP Operations (if changed)
├── Verify Status: Active
└── Save changes
Step 4: Assign Regional Manager Role with EMEA Scope
Navigate: Roles module → Find or create "Regional Manager"
Configure Permissions with EMEA scope:
├── "Read user information" → Add "EMEA Region" scope
├── "Read user skills" → Add "EMEA Region" scope
├── "Read objectives" → Add "EMEA Region" scope
├── "Update objectives" → Add "EMEA Region" scope
├── "Read reviews" → Add "EMEA Region" scope
├── "Approve time off" → Add "EMEA Region" scope
└── Other permissions as needed
Add Hans to Population:
├── Go to Population tab
├─�─ Add "Hans Mueller"
└── Confirm
Step 5: Update Group Memberships
Navigate: User Groups module
Add Hans to:
├── "EMEA Leadership Team"
├── "Regional Managers"
└── "All People Managers"
Remove Hans from (if applicable):
├── "Germany Only" groups
└── Country-specific management groups
Final Result
User: Hans Mueller
├── Title: EMEA Regional Manager
├── Status: Active
├── Groups: EMEA Leadership, Regional Managers, All People Managers
├── Role: Regional Manager
└── Visibility:
├── Before: ~100 Germany employees only
├── After: ~500 EMEA employees
└── Permissions apply to entire EMEA region
Use Case 4: Restricting Access to Sensitive Data
Scenario
Executive compensation data must be restricted to only 5 authorized people:
- CHRO (Chief Human Resources Officer)
- CFO (Chief Financial Officer)
- CEO (Chief Executive Officer)
- Head of Compensation
- Compensation Analyst
No one else in the organization should see executive pay information.
Step-by-Step Implementation
Step 1: Create Restricted Scope
Navigate: Permission Scopes module → Click "Create scope"
Create scope:
├── Name (EN): "Executive Compensation Access"
├── Name (FR): "Accès Rémunération Direction"
├── Description: "Authorized viewers of executive compensation data -
│ Highly restricted. Changes require CHRO approval."
└── Click "Create"
Step 2: Add Restricted Population (Manual Only)
Navigate: Scope detail → Population → Click "Add Members" → Manual tab
Add ONLY the 5 authorized users:
├── Sarah Chen (CHRO)
├── Michael Brown (CFO)
├── Jennifer Lee (CEO)
├── David Wilson (Head of Compensation)
└── Emily Davis (Compensation Analyst)
Click "Confirm"
IMPORTANT: Use Manual method only
├── No dynamic rules (too risky for sensitive access)
├── No group-based membership (could expand unexpectedly)
└── Each member explicitly approved
Step 3: Create Compensation Administrator Role
Navigate: Roles module → Click "Create role"
Create role:
├── Name (EN): "Compensation Administrator"
├── Description: "Access to executive compensation data -
│ Highly restricted. Requires CHRO approval for assignment."
└── Click "Create Role"
Configure Permissions (minimal):
├── "Read compensation data"
│ └── Scope: "Executive Compensation Access"
├── "Update compensation data"
│ └── Scope: N-1 only (Head of Comp updates direct reports)
└── ALL other permissions: DEACTIVATED
└── No user creation, no role management, etc.
Step 4: Assign Role to Authorized Users
Navigate: Role detail → Population tab → Click "Add Members"
Add the 5 authorized users:
├── Sarah Chen
├── Michael Brown
├── Jennifer Lee
├── David Wilson
└── Emily Davis
Click "Confirm"
Document the assignment:
├── Record approval date
├── Record approver (CHRO)
├── Record business justification for each person
└── Set review date (quarterly)
Step 5: Set Up Audit and Review Process
Documentation to create:
├── List of authorized users with justification
├── Approval signatures from CHRO
├── Review schedule: Quarterly
├── Change request process
└── Incident response plan
Monitoring to implement:
├── Alert on any changes to scope population
├── Alert on any changes to role permissions
├── Quarterly access review reminder
└── Annual recertification required
Final Result
Restriction Setup:
├── Scope: "Executive Compensation Access" (5 users ONLY)
│ └── Manual membership only, no dynamic rules
├── Role: "Compensation Administrator" (5 users)
│ └── Minimal permissions, highly restricted
├── Permission: "Read compensation data"
│ └── Only works for scope members
├── Audit trail: Fully documented
└── Review: Quarterly
Anyone else in organization:
├── Cannot see executive compensation data
├── Permission not available in their roles
├── Cannot add themselves to scope (admin only)
└── Access requests require CHRO approval
Use Case 5: Temporary Contractor Access
Scenario
A consulting firm sends 10 contractors for a 6-month project. They need:
- Access to project-related information only
- No access to employee personal data
- No access to HR or financial data
- Limited to specific project scope
- Automatic access removal at contract end
Step-by-Step Implementation
Step 1: Create Contractor Users
Navigate: Users module
Create 10 contractor users with clear identification:
├── Email: contractor-[name]@consulting-firm.com
│ (Use their company email domain)
├── Job Title: "External Consultant - McKinsey" (or firm name)
├── Manager: Project Sponsor (internal employee)
├── Status: Active
├── Location: [Their work location]
└── Note in description: "Contract ends: [Date]"
Naming convention:
├── Makes contractors easily identifiable
├── Email domain shows external status
└── Job title prefix "External" or suffix "(Contractor)"
Step 2: Create Contractor Scope
Navigate: Permission Scopes module → Click "Create scope"
Create scope:
├── Name (EN): "Q2 2024 McKinsey Consultants"
├── Name (FR): "Consultants McKinsey Q2 2024"
├── Description: "External consultants for Project X -
│ Contract expires June 30, 2024. Auto-review required."
└── Click "Create"
Add all 10 contractor users to population
Step 3: Create External Consultant Role
Navigate: Roles module → Click "Create role"
Create role:
├── Name (EN): "External Consultant"
├── Description: "Limited access for external contractors.
│ No access to HR, Finance, or personal employee data."
└── Click "Create Role"
Configure Permissions (MINIMAL):
├── "Read objectives" → Scope: "Q2 2024 McKinsey Consultants"
│ └── Can see project objectives only
├── "Update objectives" → Scope: N-1
│ └── Can update objectives assigned to them
├── All User permissions: DEACTIVATED
│ └── No access to employee profiles
├── All HR permissions: DEACTIVATED
├── All Finance permissions: DEACTIVATED
├── All Access Control permissions: DEACTIVATED
└── Only project-relevant permissions enabled
Step 4: Create Contractor Group
Navigate: User Groups module → Click "Create group"
Create group:
├── Name (EN): "External Consultants - Active"
├── Description: "Currently active external consultants"
└── Add all 10 contractors
Assign role:
├── Link "External Consultant" role to this group
└── All group members automatically get the role
Step 5: Set Up Offboarding Reminders
Calendar Reminders to Create:
2 weeks before contract end:
├── Review contractor access
├── Confirm contract is not extending
├── Prepare for offboarding
On contract end date:
├── Set all contractor users to Inactive
├── Remove from all groups
├── Remove from all scopes
├── Delete or archive contractor-specific scope
1 week after:
├── Verify all access removed
├── Clean up any remaining artifacts
└── Document completion
Final Result
Contractor Setup:
├── 10 contractor users
│ ├── Clearly identified (email, job title)
│ ├── Correct manager (project sponsor)
│ └── Contract end date documented
├── Scope: "Q2 2024 McKinsey Consultants"
│ └── Limited to project team visibility
├── Role: "External Consultant"
│ └── Minimal permissions, project-focused
├── Group: "External Consultants - Active"
│ └── Easy management of all contractors
├── Visibility: Project information only
│ └── No employee data, HR, or Finance access
└── Offboarding: Scheduled for June 30, 2024
Use Case 6: Department Reorganization
Scenario
The Sales department is splitting into two teams:
- Enterprise Sales (large accounts, 15 people)
- SMB Sales (small/medium business, 10 people)
Existing "Sales Team" group needs to be reorganized while maintaining access continuity.
Step-by-Step Implementation
Step 1: Plan the Reorganization
Before making changes, document:
├── Current "Sales Team" group membership (25 people)
├── Current roles assigned to "Sales Team"
├── Current scopes using "Sales Team"
├── Which members go to Enterprise (15)
├── Which members go to SMB (10)
└── Approval from Sales VP
Step 2: Create New Groups
Navigate: User Groups module
Create Enterprise group:
├── Click "Create group"
├── Name (EN): "Enterprise Sales Team"
├── Name (FR): "Équipe Ventes Entreprises"
├── Description: "Sales team for enterprise/large accounts"
└── Click "Create"
Create SMB group:
├── Click "Create group"
├── Name (EN): "SMB Sales Team"
├── Name (FR): "Équipe Ventes PME"
├── Description: "Sales team for small/medium business accounts"
└── Click "Create"
Step 3: Move Members to New Groups
Navigate: Original "Sales Team" group
For each of 25 members, determine destination:
├── Enterprise Sales (15 users):
│ ├── Add to "Enterprise Sales Team"
│ └── Eventually remove from "Sales Team"
├── SMB Sales (10 users):
│ ├── Add to "SMB Sales Team"
│ └── Eventually remove from "Sales Team"
Process:
1. First, ADD members to new groups
2. Verify new group memberships correct
3. Then, REMOVE from old group
4. This prevents access gaps during transition
Step 4: Create New Scopes (if needed)
Navigate: Permission Scopes module
If visibility needs differ between teams:
Create Enterprise scope:
├── Name: "Enterprise Sales Department"
├── Description: "Enterprise sales team members"
├── Population: Same as "Enterprise Sales Team" group
│ └── Use "From Group" method for auto-sync
Create SMB scope:
├── Name: "SMB Sales Department"
├── Description: "SMB sales team members"
├── Population: Same as "SMB Sales Team" group
│ └── Use "From Group" method for auto-sync
Step 5: Adjust Roles and Permissions
Navigate: Roles module
Option A: Modify existing role:
├── Open "Sales Manager" role
├── Update scopes to include new groups/scopes
│ ├── Add "Enterprise Sales Department" scope
│ ├── Add "SMB Sales Department" scope
│ └── Keep or remove old "Sales Team" scope
└── Verify all sales managers have appropriate access
Option B: Create specialized roles:
├── Create "Enterprise Sales Manager"
│ └── Scoped to "Enterprise Sales Department"
├── Create "SMB Sales Manager"
│ └── Scoped to "SMB Sales Department"
└── Assign to appropriate managers
Option C: Keep single role, use personal scopes:
├── Keep "Sales Manager" role
├── Assign different scopes per individual
│ ├── Enterprise managers → Enterprise scope
│ └── SMB managers → SMB scope
Step 6: Clean Up Old Entities
After reorganization verified complete:
Clean up original group:
├── Verify "Sales Team" has 0 members
├── Remove role assignments from empty group
├── Delete or archive "Sales Team" group
└── Document the reorganization
Update documentation:
├── Update any references to old group name
├── Document new structure
├── Communicate changes to affected users
└── Update training materials
Final Result
Before:
├── Sales Team (25 users, 1 group)
│ └── Single role, single scope
After:
├── Enterprise Sales Team (15 users)
│ ├── Role: Enterprise Sales Manager (for managers)
│ ├── Role: Enterprise Sales Rep (for reps)
│ └── Scope: Enterprise Sales Department
├── SMB Sales Team (10 users)
│ ├── Role: SMB Sales Manager (for managers)
│ ├── Role: SMB Sales Rep (for reps)
│ └── Scope: SMB Sales Department
└── Original "Sales Team" archived
Benefits:
├── Clear team separation
├── Appropriate access per team
├── Easier management
├── Better reporting
└── Ready for different commission structures, tools, etc.
Quick Reference: Common Operations
| Task | Key Steps |
|---|---|
| Onboard new employee | Create user → Set manager → Add to groups → Verify inherited roles |
| Give broader visibility | Add permission scope to specific permission in role |
| Set up project team | Create scope → Create group → Create role → Link together |
| Restrict sensitive data | Create small manual scope → Create minimal role → Document |
| Onboard contractors | Create users with clear ID → Limited role → Set end date |
| Reorganize department | Plan first → Create new → Move members → Clean up old |
| Offboard employee | Set inactive → Remove from groups → Remove roles → Document |
| Promote to manager | Update title → Add to manager groups → Assign manager role |
Navigation
- Previous: Common Mistakes
- Next: Quick Reference
- Back to: Documentation Index