Security model where a user has multiple business units and different roles by business unit

Security model where a user has multiple business units and different roles by business unit

The requirement is:
1. A user can be assigned to multiple business units
2. That user can have different action security to different business units (meaning for 3 out of the 4 BUs, the user can perform add,update, delete functions, but for the 4th BU, the user only has View access (read Only)

My goal is to limit the total roles in the system to the least amount possible. Currently, I've defined about 10 roles that will do the trick.

Now, my issue is, I would like to define a security model where:
1 User can have many business units
1 business unit can have one or many roles
User to BU, BU to Role

Basically, a parent child, parent child relationship. 1:M:M

I've determined that I might be able to accomplish my requirement by producing a unique role for each user, assigning the security to that role and then assigning the role to the business unit. 1 user to role to bu - The implications to this is I will actually have more roles than users... a maintenance nightmare

Is there a better model for implementing this requirement? I want to keep it as simple as possible.

Re: Security model where a user has multiple business units and different roles by business unit

Assuming you are 8.9+, have you thought about using row security to achieve this? You can grant the user full access via row security to the BU's then need that, but restrict down to inquiry for those that user does not. Consider segregating application/action security role from the row security role. Again, making the assumption that you can give the user the same applications, but use row security to restrict what ranges of BUs and actions they can get to. Row security will have its challenges in testing and configuration, but it should meet your requirements.

Re: Security model where a user has multiple business units and different roles by business unit

I believe I understand what you are saying, but this approach does not lessen the maintenance of the security. I don't see how for a BU attached to a user that it differentiates a roles access to the BU. Please explain further.
I am using 8.98 and have the following:
500 Companies
600+ Users

We have a structure where a user might have access to 3 companies completely, but only read only access to the 4th company. Turnover is high and I would not want to maintain security at the user level. Roles pertain to action and application security accross the E1 environment regardless of Business Unit. How can I effectively minimize my maintenance of roles and row level security for my 500 companies and 600+ users?

Re: Security model where a user has multiple business units and different roles by business unit

Recommend that you create row security roles that can be reused across many users. Row security role should only contain row security. This way your app/action roles can be left alone. This will allow you to assign the role to the user, instead of creating row security at the user level. And, hopefully, more than one user can leverage the role. Challenge is how different each user really is - based on the business requirements - and if you can group lke users. I've been on both extremes and it is a case of demonstrating to the business the level of effort and maintenance that is driven by their requirements. If the business is educated and understands impact of row security, sometimes there can be a meeting in the middle. Feel free to email me separate if you want to dialog further.