A department head needs to grant a new administrative staffer access to one of the thirty-odd internal apps her college shares with its neighbor. In the system she inherited, that means filing a ticket, waiting for a developer to remote into a Windows box, edit a row beside a decade-old ColdFusion service, click a button, then email back to confirm. Multiple business days, every time, for a single line of permission.
The original maintainer had retired, and the service was deprecated enough that nobody had a reason to keep working in it. An access audit meant hours of assembling answers by hand. The obvious move was to shop for an identity product, but those are sized and priced for enterprises, and this problem was thirty internal apps and two colleges' worth of staff. The permission data already lived in SQL tables every internal app could read, and the only broken part was the human procedure for changing a row.
So I made it easier. Search a username, drag it onto a role to grant access, drag it onto the trash to revoke. No ticket, no developer. It is a Node and Express service over the existing SQL tables, hand-written HTML and CSS, and a healthy pile of vanilla JavaScript doing the drag-and-drop, with identity handled at the web-server layer by the university's single sign-on rather than inside the app.
The board
With ease of action should come ease of un-action, so removals are soft deletes. The permission table keeps every grant and removal, who and when, and the last access audit was answered with a query instead of an afternoon.
This was infrastructure for a migration. The colleges have been moving their internal apps to Node, and the new world needed access control. Two years on, the new apps resolve "can this person see this?" against the same tables, granting takes under a minute, and there has not been an incident.