Managing permissions
Your “role” determines what you can see and do in an enterprise application—or whether you have access at all.
Shouldn’t it be quick and easy to get access if you need it?
Background
Anytime a Partner or Supplier needs access to PAM (the product setup application at HEB), our Product Manager (PM) has to manually set up their account or approve their request.
This manual process has become a bottleneck—it’s not only inefficient due to the influx of requests but also unnecessary, considering that Suppliers are already vetted and Partners are trusted coworkers.
My role
As the UX Designer for this project, I was responsible for the end-to-end user experience, collaborating with the Product Manager, Engineers, and stakeholders. From research to design and engineering reviews, I ensured a user-centric solution that aligned with both user needs and technical feasibility.
Getting started
Whenever I start a project, I’m looking for ways to make my users’ lives easier. This project was a little unusual for me because this feature would primarily impact just one person—and that person is my PM!
So I met with him to document his current process for reviewing and approving these requests.
Our current approval flows
Analysis
While automating the process would undoubtedly benefit the PM, that alone isn’t enough to justify prioritizing this over other features, nor the Engineering expense.
So I collected and analyzed historical data to identify any patterns in access request volume and see if requests were trending downward.
Here’s what I found:
We had a steady increase of Partners joining during PAM’s pilot period (and to a lesser extent, Suppliers).
As expected, Supplier requests soared after we turned off Supplier access to Core Product Setup (CPS), the old product setup application that PAM is replacing.
The # of requests from Partners spiked when Suppliers (and their product submissions) migrated from CPS to PAM.
Requests stabilized after these events, but did not cease.
So what’s the priority?
Looking at this data, it seemed like we had weathered the storm (at least for Partner requests). But would that always be the case?
I decided to work on designs for this now for a few reasons:
Several features on PAM’s roadmap would bring in a lot of new users, and I didn’t want manual access approvals to delay users’ access to those features.
My team wouldn’t actually develop the backend portion of the solution to automate approval for Suppliers, so my PM and I would need to collaborate with another team to get that work prioritized.
I was really far ahead of Engineering and my PM and I were still figuring out our priorities for the next quarter, so I had time.
I had an idea for a simple solution that I knew I could quickly design.
Solutions
1
Auto-approve Suppliers requests
HEB adds about 3,600 Suppliers a year, so we don’t expect these Supplier requests to decrease. We should prioritize automating approval.
2
Auto-approve some Partner requests
Most Partner roles in PAM are straightforward and specific. Partners are absolutely capable of choosing the right role for themselves.
3
Update manual approval process
We can’t auto-approve all Partner access requests right now, but we can make the approval process faster and more resilient.
1
Auto-approve Supplier requests
Suppliers request access to apps via Supplier Portal, which sends those requests to Supplier Identity Management (SIDM). Right now, access requests for PAM require manual approval in SIDM—but that’s not the case for all applications. So our PM asked the SIDM team to let PAM join the other apps with auto-approval status.
I won’t lie—I don’t know how much work this put on the SIDM team. I focused on working with our Engineering team to ensure we handled this smoothly in PAM.
My lead Engineer and I talked through the Supplier scenario. Since PAM uses SIDM to authenticate Suppliers and enable single sign-on, once SIDM can automatically approve access requests, Suppliers can access with no issue. Our Engineers ended up with no changes to implement! 🎉
-
HEB can only pay vendors or businesses that exist in our system, so some “Suppliers” in our system will actually never set up products and don’t need access to PAM.
We have asked the Procurement Accounting team to consider including PAM as a default application for new Suppliers when appropriate.
2
Auto-approve some Partner requests
We can automatically approve requests for certain roles because the risk of the wrong user causing harm is super low. These users are our fellow coworkers—they just want to get their work done and aren’t up to anything nefarious. We can trust them.
3
Update manual approval process
We still need a manual approval process in two instances—when users aren’t sure what role to select or when they choose the Procurement Support role.
The Procurement Support role in PAM is very powerful, and that team’s leaders aren’t comfortable with auto-approval right now. The solution I designed takes the burden of approval for this role off of our PM’s shoulders and hands that control over to the Procurement Support team.
We also need manual approval for the rare instances where the requester isn’t sure what role or level of access they need.
This design would prompt the Partner to give our PM the details he needs to choose the right role for them. If our PM decides to approve the request, the email includes a link that would take him exactly where he needs to go in HEB’s roles and permissions tool, ARBAF.
-
![]()
Flow for a custom request
-
![]()
Flow for the Procurement Support role
-
![]()
Landing page
-
![]()
Procurement Support request
-
![]()
Request notification email
-
![]()
Concept for selecting multiple roles
What we’ve done so far
The SIDM team recently implemented the auto-approval flow for Suppliers, which is a huge win considering HEB onboards about 300 Suppliers a month.
Our Product Manager no longer has to manually approve these requests and our Suppliers now get immediate access to PAM.
Next steps
Since access requests from Partners have stabilized to about 2-3 requests a month, we haven’t prioritized automating these requests.
However, we know that some future features will greatly expand the number of Partners that need access to PAM. So we’ll re-evaluate prioritization before we deliver those features.
We also held off on conducting usability testing for these designs right now because those future features might require additional roles or a different approach to permissions for Partners all together.
For now, we’re satisfied with automated approvals for Suppliers.