Managing users with multiple roles
As an example, in some cases, we might start with the idea that the people in the A/P department will be given either the A/P Clerk
role or the Accountant
role but later on, we might find a user who splits their time between both of these activities. We need to maintain accounting rules, such as the separation of duties, but assuming we're safe to give this person all the access they need, we can define one new role for them (including all of the permissions they need) or we can assign them two of the more common roles. In the first case, they can just log in to their account each day and do everything they need. However, then you would have to maintain this additional role over time, just for that person.
With the two roles approach, the user would have to get used to splitting up their time and logging into the account with whichever role they needed to use throughout the day. This can become tedious, but it might still be better, since...