In our organisation, we're using the AGDLP principle with system roles and business roles:
Account -> Business Role -> System Role -> Global Group -> Domain Local Group (with resource / permission).
Where a System Role can have multiple Global Groups
We want to make it:
Account -> Business Role -> System Role -> Domain Local Group (with resource / permission).
Where a System Role can have multiple Domain Local Groups
The difference is that we don't want to use Global Groups anymore. We do think it will only have benifits (reduced token size, more standarization).
Does anybody have any pro's and con's we didn't think of?