an analyst can switch groups on the fly, but I don't think they can switch roles as easily since you can't have a "current" or "primary" role.
I switch groups to maintain things and troubleshoot errors frequently. I don't know how this would be done using roles to seperate things?
Yeah. I just don't think it can be done against a role and you can't remove Read access from must one lifecycle in the permissions for a Role.
I've not used a role, but I have used a user defined attribute to do the partitioning. So it might be worth a play with that. I used a category as the partitioning attribute so that the right to access a process could be allocated in a hierarchical way to analyst. The idea was that the process had the attribute as a lock and the analyst had the attribute as a key which could open the lock if it was the right value. It worked well and allowed people to do things like work on an incident, change their key and not even be able to see the original incident again! The value of the attribute was set as part of the process so I could give people the ability to switch keys based on permissions to the process actions that change the partitioning attribute.
OK so it's not a role, but you might be able to use something like this? Controlling partitioning via process actions themselves gives you a lot of flexibility
Can you configure more than one partitioning attribute? I haven't gotten into implementing any sort of partitioning yet, but may need to in the nearer future as we bring more groups into using SD.
Quote from the manual ...
NOTE: Only one attribute on an object can be set as the Partition Type for analyst partitioning, and one for
customer partitioning. These could be the same attribute if you selected the Partition Type of Both.
You can also partition config data.
If you want to check this area out I'd recommended using a category as the partitioning attribute because this allows for hierarchical partitions. e.g. someone could look at data with a partition of Accounts/Accounts Receivable, someone else only Accounts/Accounts Payable and a supervisor with access to the top level Accounts could see both partitions.
You can have some fun where a person can assign a process and you set the partition attribute on the fly so that they can no longer even see the process they just assigned.