Hello all: My employer has fairly strict rules regarding granting internet
access, in fact most employees do not have access except for our timeclock
service. However, recently I have had to grant access to select people so
they can access several more sites. We still want to avoid giving full
access if we can.

So now I have all these rules to write and frankly it is getting very
confusing. My past method was to write rules based on groups of employees
accessing common site(s). But now I am getting many groups which are
subsets and supersets of existing rules.

So , I am considering shifting the way I wirte rules and just make rules on
a per user bases. That way when I am asked to grant access to another site
for emplyees A and B, I can just go to "their access rule" and add those
sites.

What do others do in situations like this? Just punt and grant full access?
Create these individual-based rules?

thanks, chris.