I concur with user evanr--with the kudos--for your newborn. Very exciting times!
As to the root of your post/question, I believe the granular permissions scenario is best in this use-case. HOWEVER, the permissions should be attached to Active Directory Domain Services (AD for short), vis-a-vis, AD Groups. From this point, it is possible to nest Groups inside each other--to make mass changes--based on use-case and user role type.
We are currently implementing SolarWinds (SW) across a large enterprise environment, and we purchased most of the SW modules. Our process, successful (so far), is to:
- Implement SW and all modules (first).
- Next, create a User Access Rights Matrix--that details the hierarchy of Groups and the users within each Group--within the Matrix.
- After the Matrix is complete and all of the appropriate people signed-off on the Matrix, we slowly begin to implement each Group--throughout our SW environment.
- Following the Group-level implementation, we then continue to very slowly add the Users to the Groups--per the Matrix--ensuring that we are not overwhelmed by the new users and further ensuring that errors are prevented--by granting too many Access Rights--to each Group and each User.
- Finally, we review and audit each Group and User--particularly Users that are unique and outside the standard Group/User use-case.
Thank you for a good question/post, because this is very important to a successful SW implementation--keeping it safe, maintaining performance, and ensuring a solid user experience.