11801 calls out some very specific scenarios.

• Reassign judge review tasks
• Assigning cases to attorneys
• Requesting cases for judges

Assigning and reassigning cases reads as if we could simply add users as admins to judge teams and modify some available_actions functions to allow judge team admins these two. Requesting cases for judges is a bit more complex with the way that requesting distributions works (creates a distribution for the current_user), but we could update the requestDistribution method to request for a certain user id, rather than the logged in user. I think these changes, combined with dropdowns to view a judge's assign and review views might hit all of the acceptance criteria for us.

Thoughts in no particular order including some things we talked about yesterday for documentation purposes!

1. Love the callout on future work
2. Admins may find having both a JudgeTeam and a DvcTeam for one user confusing
3. DVC team implementation also does not include the ability for a normal judge's supervisor to reassign tasks. Should probably call out that this implementation doesn't address it and we'd expect VLJs to reassign before they go on leave.
4. I like that the DVC implementation separates the user's normal workflow from acting as another user
5. Building out the judge team raises some other concerns such as
   
   
   
   • Situations where a user is both an attorney and an admin (in the case of DVCs most likely)
   
   
   • Situations where a user is an admin but not an attorney (in the case of judges and their supervisors )
   
   
6. Judge team build out creates further separation from what we think an org is, but this can be addressed in the followup work

I prefer "JudgeTeam Refactor" and setting aside time to refactor authorization rules generally.

I have used https://github.com/varvet/pundit before on multiple Rails apps and it works pretty well. The hard part is going to be documenting all our different existing systems and overlaying the ideal business rules we'd like to arrive at.

I also prefer JudgeTeam refactor route. As Kat notes, it's easier to deliver and less of a burden on our users.
I also agree that we should starting thinking about simpler way to organize our authorization rules.

Cons
...
creates further separation from how we designed orgs to work originally

My understanding is that organizations generally limit access to queues and actions related to Tasks. Will giving the attorney access to the JudgeTeam give them access to all the functionality they need to act on behalf of a judge for this ask? (e.g: in the LegacyDecisionReviewTask we limit actions based on whether they are a judge in vacols).

In hearings, we limit access based on the role "Hearing Prep" that all judges get. Looking through attorney data, 164/956 attorneys with recent logins have a "Hearing Prep" role. Can we assume that attorneys acting on behalf of Judges have this role? Otherwise, we may need to do a light refactor of how Hearings permissions. Or is changing hearings information outside the scope of "Special Case Movement"

@lomaxap ~the methodology I'm imagining will mirror User Impersonation/Global Admin, giving the user the session value of the user they're acting on behalf of. If anything, I'm worried they will be too able to act as the other user, and we'll want to put checks in place for the session variable storing the acting_on_behalf to check a person is actually themselves, in some places.~

@lomky ah, ok. So if you go with the JudgeTeam refactor option, you would also implement part of the "User Switch" from the DVC Team Option?:

• stash real user in session, a la Global Admin (see ref 2)
• change session user to the DVC

Ah, no I had muddled the options. In the JudgeTeam scenario it would be teaching the code to ask if the judge of the team the admin is on has permission, regardless of which admin is actually doing the action. That's part of why this implementation is a bit straining on our existing system

Hi! @lomky reached out to me to get some Design Opinions™ on how this should be implemented in the front end and I'm summarizing my thoughts here for posterity and also for all interested parties.

The question posed to me was, should the UI link to view a DVC's (judge's) Queue be in the user menu (far upper right?) or the Queue actions dropdown?

Simple, right?

Actually it's pretty tricky, because it brings up questions such as – 

• Are users thinking about this work as impersonating the judge (as we are) or are they thinking of it as just a natural part of their own work, that magically happens to look like the judge performed it behind the scenes?
• When users go about this, are they thinking about 'switching' to being the judge first, and then going about the work, or are they going to go straight to Queue and then switch once there?

It gets into mental models around identity and workflow which are fuzzy at the best of times, and without being able to do some usability testing it's pretty much impossible to know for sure. That said, we currently don't have capacity to do usability testing (although I'd be happy to coach someone through the process if someone wants to learn!)

So that leaves us with the option of making a decision based on usability principles, which is pretty risky and doesn't give us a whole lot of clear guidance anyway. Based on the principle of "put similar things near each other" my weak hunch was to suggest that the impersonation actions be located within the Queue dropdown menu, as opposed to the User Menu, because the Queue menu is closer to where the work is going to take place anyway. There's a risk of hiding it in a dropdown making that functionality not discoverable (another usability principle), but that's also true with the other option we discussed.

This then becomes a question of, "how much risk are we willing to take on with this functionality?"

The main risk is that we release something that users find confusing and/or can't find.

Given the relatively small number of users this will impact, and it sounds like we'd like to revisit Caseflow permissions more broadly in the near future, the risk of this might be rather small in the grand scheme of things. Few users for a relatively short amount of time = not so much lost trust in our team or impact to Board of Veterans' Appeals productivity.

However the few users we're talking about are key users, and working directly with processing appeals so there could be some impact to Board of Veterans' Appeals productivity. Additionally, some of them may be using Caseflow for the first time with this functionality, meaning this is a first impression, and we'd probably like that to be a good impression.

At this point how much risk to take on here is a product management decision, so I'm not going to weigh in (and I honestly don't know which factors are more important), but I want to raise these as the concerns we should be considering as we move forward.

Thank you for inviting me to muddy the waters!

Some good lessons from the design notes on this somewhat parallel ticket: #5385

Work to finish this ticket:

• [x] Break out tickets for work under the epic #11801
• [x] Create Epic for the Followup Work