Decision Guides

Use these guides when you’re unsure which pattern to apply. Each guide addresses a common decision point.

OU vs Group

Question: Should this be an OU or a Group?

OU = Policy boundary (device posture, session length, DLP rules). Answers “what security controls apply to this person?”
Group = Access list (drive permissions, system roles, mail distribution). Answers “what can this person do?”

Rule: If it controls security posture, it’s an OU. If it controls what they can access, it’s a Group.

Department vs Team

Question: Should I create a new Department or a new Team?

Create a Department when:

The function owns budget, policy, or platform scope
It will contain multiple Teams for 12+ months
It has a distinct compliance or audit surface

Create a Team when:

It’s a working group within an existing Department
It might not exist in 6 months
It doesn’t own budget or policy scope

Rule of thumb: If it doesn’t own budget, it’s a Team.

Role Ownership

Question: Which team should own this role?

If the role affects…	Owner is…
Org-wide security posture	`plt` or `sec`
Public-facing content	`mktg` (with `plt` gating dangerous options)
Engineering systems	`eng`
Customer delivery	`ops`
Financial systems	`fin`
HR systems	`hr`
Legal systems	`legal`
Cross-functional analytics	`biz`

Mail Pipe Chooser

Question: Which mail pipe should I use?

Is the sender a human?
  YES → Is the audience internal?
          YES → Is it a broadcast (few senders, many readers)?
                  YES → Mail (Announce)
                  NO  → Mail (Discussion)
          NO  → Mail (Public or C-Inbox)
  NO  → Is it urgent / on-call actionable?
          YES → Alerts
          NO  → Is it a report for later review?
                  YES → Intake
                  NO  → Infra (router)

Public Contact: C-Inbox vs Standard Mail

Question: Should this public address be a Collaborative Inbox?

C-Inbox when you need assignment, queuing, and SLAs (support, sales inquiries).
Standard Public when you just need moderated delivery to a small responder set (press, general contact).

Drive Channel Selection

Question: Which drive channel should this content go in?

Content Type	Channel	Why
Final deliverables, agendas, status updates	COLLAB	Safe for customer/external eyes
Working drafts, internal notes, AI summaries	TEAM	Internal only
Raw recordings, evidence, PII/PHI	STRICT	Need-to-know, chain-of-custody

Shared Drive vs Folder vs Repo

Question: Should I create a new drive, a folder, or a git repo?

New drive when: new customer, new major function, or sensitivity boundary needs isolation.
New folder when: new project within existing customer/function.
Git repo when: code, IaC, or version-controlled config.

Vendor vs Partner vs Customer

Question: Which taxonomy should I use?

They serve us	→ Vendor
We serve them	→ Customer
We collaborate as peers	→ Partner

Security Label: ON vs OFF

Question: Should this group have the Security label?

ON for groups that appear on ACLs or grant system access (Dept, Team, Role, some Customer groups).
OFF for communication/routing groups (Mail, Intake, Alerts, Infra, People, Ident).

Warning: Security label is irreversible. When in doubt, leave it OFF — you can always recreate with it ON, but you can’t turn it OFF.

Infra Router vs Direct-to-Alerts

Question: Should this system post directly to Alerts, or go through an Infra router?

Use Infra router when:

Multiple noisy sources feed one on-call lane
You need classification (one source, many topics)
You need cross-tenant bridging
Volume is high and you want centralized allowlisting

Use Direct-to-Alerts when:

Single, high-signal source
Low volume
Simple routing (one source → one alerts group)

Breakglass / Emergency Paths

When normal processes are blocked (SSO outage, IdP failure):

Unsuspend breakglass account (two-person rule).
Login with FIDO2 escrowed keys.
Perform scoped admin tasks.
Re-suspend breakglass account.
Record evidence (ticket, approver, timestamps, actions taken).
Post-incident review within 48 hours.