Over the past several years I’ve struggled with security roles in LDRPS.  I found myself creating multiple roles, assigning them to various users, and ending up with a lot of maintenance.  Periodically I’ve had to go back and review roles to see what the differences are and that means digging down into permission sets and looking at filters.  If I needed to create a user who could just look at screens as an IT DR planner, I would have to create a role.  If I needed a continuity planner who could just look at screens I would create a role.  Finally it occurred to me that rather than creating two roles – one for edit and one for audit – for each type of planner, I should just create a single role that denied edit and assign records access to everything.  I named the role “View Only Overlay”.  Now no matter how many different types of roles I created, if I needed a version that only allowed view access all I needed to do was assign the particular role and assign my “View Only Overlay”. 

We could do the same for expanded access.  Let’s say we need a power user role for a continuity planner.  We assign the base continuity planner role and then a power user overlay that grants more permissions in particular areas.  These overlays don’t require as much maintenance because you don’t need to create permission sets for every data type.  You only need to create permission sets for the data types where you are granting expanded access.  If the base continuity planner and base IT DR planner roles only allow view access to employee records and you want a role for each that allows edit access, you can create an overlay role to grant that access.  The new overlay role would only require one permission set to grant edit access to employee records.

To illustrate the advantages of using overlays, consider the table below.  On the left are six unique roles for six different types of users.  On the right we can accommodate those same six types of users with only four roles and much less complexity within the overlay roles.

To group your roles better you probably want the names of the overlay roles to begin with “Overlay”.  Also keep in mind that if a permission is specifically denied it cannot be overridden with an overlay that grants additional access.