How to explain the authorisation of the system to users
The problem I currently have is: users do not understand the authorisation of the system well (i.e. what a user can do in the system depending on his roles and other things, not to be confused with authentication).
The situation:
We are developing a business system, and the business requirements towards authorisation are unfortunately rather complex.
Now, users often are confused at why they cannot see a certain object another colleague sent them, or why they cannot edit certain objects. They often ask us to tell them the roles that they currently have, but that actually doesn't really make it understandable for them. Then they want to know what roles in what configuration they would need for XYZ.
The authorisation works as follows:
Users request a role in a central role management system according to their process roles. During the request, they additionally have to select certain attributes for the role which denotes for which parts they are actually working in that role.
Our system then maps their roles to rights. Additionally, these rights may have conditions on the attributes the users selected for their role.
My request therefore:
Does anyone have examples or ideas of how it could be made more transparent to the user, so that they
- understand why a certain action is restricted to them
- know what roles in what configuration they would need to enable them to do what they wanted to.