[bongodongobob]

This reminds me exactly of how difficult it is to create decent security groups.

I've had a few opportunities to build active directory from the ground up. It always starts nice and clean with Accounting, Sales, Production, etc. Then Directors, Managers, Supervisors etc.

Everything maps out nicely in the beginning but then you run into things like "well Susie is only a supervisor, but she's in account so needs access to X. And Bob is a director but shouldn't have access to Y. And Managers should only be able to access Z but only if they are in Marketing. Etc."

You end up with a bunch of custom groups and the whole idea of a big venn diagram disintegrates.

In theory everyone has a defined role on paper, but it completely falls apart when the rubber meets the road.