Providing the right people with access to the right actions and tasks
Following sprint one: managing users, we continued to explore a simple and secure approach to access management, looking at ways to allow healthcare settings to assign permissions to users based on their roles.
During research throughout alpha and beta, we engaged with different users at varying organisational levels and roles, gathered and analysed their needs, and grouped them into roles based on their common responsibilities. Duties range from recording data and editing records to approving records and reporting.
Role-permissions relationships
We then assigned one or more permissions to each role, aiming to simplify the process of managing users. Since each user has privileges based on their set permissions, they do not need to be managed individually. We also gave users the fewest permissions that would allow them to accomplish their work.
The first round of testing
Adding users, assigning roles and permissions
Role-permissions table
What we learnt
Overall, users felt the roles we presented to them represented their organisational structures. However, every organisation has their own way of classifying roles.
As such, we found there were several instances where our roles-permission relationships needed to align with users’ expectations, making the task of assigning roles and permissions complicated and not easily understood.
For example, users expect:
- Organisation Leads or Administrators to have a higher level of permissions than Clinic Managers
- Organisation Administrators to have editing rights
- Organisation Administrators and Vaccinators to manage appointments
“Trusts have different ways of looking at and classifying roles.”
Participants were also unclear on whether they could assign one or more roles to each user, and they found the permissions table challenging to navigate in terms of order, hierarchy, layout, and orientation.
The second round of testing
Based on our findings, we simplified our access management approach, removing roles and allowing healthcare settings to assign permission to users. We clearly stated what each permission would entail in an expanding permissions table.
During testing users understood the different types of permissions, which strongly aligned with their expectations. Some users highlighted the approach was flexible for different organisations and how they organised their roles – ultimately giving everyone more control.
“I like the level of customisation.”
Additionally, users suggested creating ‘permission groups’ to assign permissions to multiple users at once instead of setting permissions for individual users.
Setting permissions screen
Permissions table
Usability score and summary
Using a seven-point rating scale, users scored our iterated user management approach 6.6 out of 7 (very confident) compared to our first round of testing, where our approach scored 5.25 (slightly confident). Overall, users found the interface very simple and intuitive, making it clear what they could and could not do in the system.
“It’s easy, simple and intuitive.”