When setting up security groups for an organization that wants granular permissions, conflicts often occur.
ex: /Security Group A should be able to edit purchase invoices, but not post/
/Security Group B should not be able to edit purchase invoices, but is able to post/
/Security Group C can only approve documents, but cannot edit nor post/
I think this is common for public companies to meet regulations.
When it comes to structure, recording permissions to allow for a task is simple; however, restricting access to any small feature (like editing purchase invoice) seems to have compounding effects for access to other aspects of the system, which is difficult to understand. Because of this, we have a customer that is blocked by permissions constantly performing routine tasks due to the restrictions from other sections. It's not clear to me how to go about setting up these permission sets when the naming conventions are vague and there are thousands [millions?] to deal with.
Are there third parties that specialize in this?