← Back to Knowledge Base← Previous questionNext question →
Business AnalysisSystems Analyst

How does a systems analyst define and document user roles and access rights in a complex multi-module IT system?

Pass interviews with Hintsage AI assistant

Answer.

History of the question:

With the increasing number of users and modules in IT systems, the distribution of roles and the definition of rights have become critically important tasks. Mistakes in designing the access scheme lead to vulnerabilities, non-functioning features, and risks of data leaks.

Problem:

The lack of a unified methodology for building the rights matrix, inconsistencies between different modules, and incorrect descriptions of access scenarios ultimately lead to inconveniences for users and conflicts, and sometimes even legal consequences.

Solution:

An access matrix method is used, where for each module of the system, roles (Role-Based Access Control, RBAC), types of operations, and corresponding usage scenarios are described. The following is documented:

  • List of roles with descriptions: administrator, operator, user, guest, etc.
  • List of operations (CRUD, process launches, data exports, etc.) available to each role
  • Restrictions and exceptions for special cases
  • Examples of user scenarios: who does what and when, what the results are

All of this is recorded in a summary table of "roles and rights," usually using spreadsheets, schematic builders, or specialized UML diagrams (e.g., Use Case).

Key features:

  • Formalization of roles regardless of organizational structure
  • Consistency checks between modules
  • Working through not only the granting, but also the revocation/change of rights

Trick questions.

Is it enough to describe only the basic roles (admin, user) for the entire system?

No, roles should be detailed at the task and module level, otherwise gray areas and security gaps will arise.

Can access rights be built solely based on the existing organizational structure?

No, the organizational structure changes rapidly, while business processes last longer. Roles should be identified based on business scenarios and areas of responsibility.

Should only permissive access rights be documented?

No, it is essential to describe not only permissions but also prohibitions (deny rules), as well as to provide procedures for escalation and temporary rights granting.

Typical mistakes and anti-patterns

  • A "flat" rights scheme across the whole system, lack of detail at the module level
  • Transferring the organizational hierarchy to IT rolling without taking peculiarities into account
  • Documenting only positive (permissive) rights without scenarios for revocation or temporary access

Real-life example

Negative case:

In a large CRM system, all rights were described only at the level of two basic roles. In practice, many conflicts arose: regular managers accidentally deleted important data, while operators did not have access to their functions.

Pros:

  • Simplified commissioning

Cons:

  • Increased risks of access to critical data, errors due to inconsistency

Positive case:

The analyst divided rights by roles and modules, conducted a design workshop with users, described delegation and revocation cases. Created a summary access matrix, agreed on user journey templates for different types of employees.

Pros:

  • Risk minimization, transparency, and ease of management

Cons:

  • An additional stage of coordination between departments was required