Mysterious permission problems

Most of my clients handle things pretty well on their own, and they only come to me when they get something that really mystifies them.

Among all the mysterious problems that come my way, the most common cause is probably complex user permissions.

WordPress and Drupal offer a variety of ways to control access to content, and so does CiviCRM. Permissions, roles, ACLs, financial ACLs, groups, memberships, etc., etc.

I've found that organizations who avoid problems with permissions are doing at least one of two things:

1. They limit the complexity. Fewer roles, fewer ACLs, fewer policies about who can do what.
   
   They either know that they don't need the complexity, or they make an intentional decision to keep things simple and make sure that staff are well trained and user interfaces are well designed.

2. They keep thorough documentation. Both the rationale and the mechanism for any permissioning scheme is written down somewhere, and frequently referenced and updated. This makes it easy to sort out what's going on when something surprising happens.
   
   It also has a limiting effect on the complexity: if you have to document everything, it kinda makes you think twice before changing the permissions.

Some of the biggest wins in reducing complexity come from simplifying the user permissioning scheme.

If you can think of more than a handful of times that your users have been mysteriously denied access the content or features that they should have, there's a good chance you need to sit down and simplify.

All the best,
A.