Hi Amir
You need to step back and figure out the design and usage of the accounts. Options can include:
Aproach 1
Each user has is granted a FF Id. Therefore, if you have 300+ support users then you will need 300+ FF Ids.
- Benefits: if your users are required to use FF frequently, then they might each need their own so they don't lock each other out. A FF Id can only be used by one user at a time
- Benefit: you can map each person to a specific controller (more controllers potentially)
- Drawback: large number of FF Ids and you might have some users who rarely need FF access.
- Log review would be the same effort as it's based on usage
- Naming convention of FF Id - most places try to have a convention of User Id + FF (eg FF_12345 is assigned to user 12345) depending on characters you can play with.
- FF Access can be a lot more specific to the user's support requirement (restrict what they can do on the FF Id).
E.g 300 Users = 300 FF Ids
Approach 2
Multiple users have are granted to FF Id. You group users into their job function and assign them to the FF Ids.
- Benefit - less administration compared to option 1
- Drawback - users may compete for access to a FF Id
- Process wise - you would advise your users that they will see multiple Ids in their logon cockpit and tell them to chooose the first available one
- Log review would be the same effort as it's based on usage
- Naming convention of FF Id tries to differentiate the account purpose (e.g. Finance would be FF_FI01 through to FF_FI10 if you created 10 FICO roles. You could even have FF_FIAP01 for Accounts Payable functions only). Either way, it's to make administration easier.
Example: You have 300+ support users across 10 modules. Therefore, at a minimum you would need 10 FF Ids and multiple User to FF Id assignments. Due to the 300+ people you might allow multiple FF Ids for each module (i.e. 3 FF Ids for Finance).
Approach 3
You have a hybrid of the two areas to overcome the shortcoming of both. For high volume areas like security you might assign each user their own FF Id (1 to 1 mapping) whilst other areas you might assign a shared Id.
The FF Logs which User accesses which FF Id so you are all good there.
Depending on your business requirements, you might want to enable ARQ workflow for FF requests to manage the administration and allow controllers to approve. Part of your design is also if the Support Users are permanently assigned the FF Id are must request them when they need them.
Regards
Colleen