Questionnaire
People, roles & access
Who gets which type of account, which rights, and how do you keep it clean when people join, leave or change roles? Decisions you settle now save hundreds of manual actions later.
Updated May 18, 2026
Questionnaire · 4.2
Why this now
Managing users manually does not scale. Every new hire, departure or job change triggers something — often in three systems. Skip this now and you’ll live with a Gfacility where half the accounts trail behind reality. That ruins reporting, chargeback and, worse, trust in the system.
What do you deliver?
Role matrix
Which role may perform which type of action — including the exceptions.
Identity-source choice
Entra ID / Google Workspace / Okta — which is the truth, which syncs.
Joiner / Mover / Leaver flow
Per scenario: trigger, action, owner, SLA. No more ad-hoc actions.
External-user policy
How do you handle contractors, interns, external suppliers and visitors that need an account?
Key questions
- 1Which identity source is authoritative for accounts (Entra ID, Google Workspace, Okta, HRIS)? One source or more?
- 2Which roles do you need in Gfacility? Start with the big four (End user, Service agent, Facility coordinator, Admin) and justify every extra.
- 3Which actions may someone with that role perform? Be concrete: create ticket, escalate, close, book a room on behalf of someone, approve chargeback.
- 4How does an account come into being? Automatic provisioning from SCIM/IdP, or via a request form?
- 5What happens at departure? Deactivate immediately, hand over the file, or grey out for 30 days for reporting?
- 6Job mover — if someone moves internally, who adjusts the role? HR with automatic sync or the admin manually?
- 7External users — do contractors get their own account or work via a shared supplier account? What about SSO?
- 8MFA, conditional access and session timeout — inherited from the IdP or must Gfacility enforce its own rules?
- 9Periodic audit — how often (and who) checks that the role assignments are correct? Quarterly by owners, or yearly by Security?
Template — Role matrix
| Role | Create ticket | Handle ticket | Book room | Book on behalf | Approve chargeback | Admin settings |
|---|---|---|---|---|---|---|
| End user | ✓ | — | ✓ (own) | — | — | — |
| Service agent | ✓ | ✓ (own workgroup) | ✓ | — | — | — |
| Facility coordinator | ✓ | ✓ (all FM) | ✓ | ✓ | ✓ (FM) | — |
| Admin | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| … | … | … | … | … | … | … |
Template — Joiner / Mover / Leaver
Joiner
Trigger
HR system creates account.
Action
Provisioning within 2h, welcome email incl. mobile app link.
Owner
HR + IT (automated).
Mover
Trigger
Department or function change in HR.
Action
Role re-evaluation, old rights revoked immediately, new rights approved within 5d.
Owner
New line manager.
Leaver
Trigger
Termination date reached.
Action
Login blocked at 5pm last working day; tickets/bookings handed over to replacement.
Owner
Line manager + IT.