Depending on the specifics, records owned by users with role problems may be visible to the wrong groups, or they may not be visible to anybody at all. This causes all kinds of fun in reporting, workflows and other automation that's supposed to make things easier. The malfunctions will continue until the record ownership is brought up to date with the current role hierarchy.
The good news: This particular data repair-fixing who owns which record-requires updating just one field per CRM record. The not-so-hot news is that some data repair needs to be done every time there's a sales reorganization or staff change. The solution: Bake some data repair into your work plan at least once a quarter.
CRM Record Sharing Can Save the Day
Because the effect of roles are binary, they must be supplemented with sharing rules that amend record visibility. For example, you don't generally want sales representatives editing each others' deals, but you do want to be able to do load-shedding when a sales rep is on vacation.
Sharing rules are exception handlers that simply say, "Under these special conditions, some users will be able to see records that would be otherwise hidden from them." Although each rule has only a few input parameters and a single yes/no output parameter, large organizations may have hundreds of them-and, you guessed it, they need to be updated whenever there is a significant org-chart or business-charter change.
Additional CRM Security Mechanisms Will Vary
In Salesforce, several system elements-in particular, record types-are inherently sensitive to profiles, while several other areas of the system can be configured to be sensitive to roles, groups, teams and queues. Applications and custom code added to Salesforce may add their own privilege management systems for individuals and collections.
As is the case with distributed systems, cloud administration doesn't offer a single administrative master control system. You have to build and maintain your own expertise around your system's peculiarities and expect that a major part of the system administrator's job is troubleshooting and fixing security issues on an ongoing basis.
Although lots of great tools can help inspect and manipulate many of the security attributes in your CRM complex, there is no "God's eye view" of the system. In my humble opinion, there's no hope for one, though we have seen elaborate tools purpose-built to coordinate change across multiple system elements.
The only way to know every area of the system that might be affected by a change, then, is to build your own administrative manual. This is best done as a crowdsourced effort, allowing only the truly knowledgeable to write and measuring them for frequency and length of their contributions.
Sign up for CIO Asia eNewsletters.