Skip to content

ADR-0004: Adopt a Strict, Group-Based Access Control Model

  • Status: Accepted
  • Date: 2025-09-11
  • Authors: Senior Systems Analyst

Context and Problem Statement

The application requires a scalable, auditable, and easily manageable access control system. Assigning permissions directly to individual users is error-prone and does not scale as the organization grows. We need a model that enforces the Principle of Least Privilege while simplifying administration.

Considered Options

  • Option 1: Direct User-to-Role Assignment

    • Description: A standard RBAC model where administrators assign roles (and their associated permissions) directly to each user.
    • Pros:
      • Conceptually simple for individual user management.
    • Cons:
      • Becomes unmanageable at scale. Changing a team's permissions requires editing every single user account.
      • Lacks a way to model the organization's structure.
      • Difficult to audit "why" a user has a certain permission.

  • Option 2: Strict, Group-Based Hierarchy (Chosen)

    • Description: A hybrid model where permissions are collected into roles, roles are assigned exclusively to groups, and users gain access solely by being members of those groups. Direct assignment of roles or permissions to users is programmatically forbidden.
    • Pros:
      • Highly Scalable: Managing access for an entire department requires only a single action (assigning a role to their group).
      • Auditable: The chain of inheritance (User -> Group -> Role -> Permission) is clear and unambiguous.
      • Mirrors Org Structure: Groups can directly model teams and departments, making the system intuitive for administrators.
      • Enforces Consistency: Prevents one-off permission assignments that deviate from standard job functions.
    • Cons:
      • Less Flexible for Exceptions: Creating a one-off permission set for a single user is more complex, as it requires creating a new role and potentially a new group.

Decision

We will adopt the Strict, Group-Based Hierarchy for access control (Option 2). The rule that permissions and roles can NEVER be assigned directly to a user is the cornerstone of this decision. This model provides the best long-term scalability and auditability, which are critical business requirements. The business requirements for this feature are detailed in the Access Control Model Foundation BRD.

Consequences

Positive

  • Permission management is dramatically simplified for administrators.
  • The system is more secure and consistent, as it prevents ad-hoc permission grants.
  • Auditing user access becomes a straightforward process of reviewing group memberships and their associated roles.

Negative

  • The initial setup of groups and roles requires more planning.
  • Handling unique exceptions for individual users is intentionally more difficult, which is an acceptable trade-off to enforce consistency and security.