Case Study · 02
Employee Badge & Access System
Three compliance-driven upgrades of the employee badge system — restructuring permission models across a multi-entity architecture with zero downtime.
Role
Lead Product Manager
Timeline
2022 — 2024
Team
PM, Eng, IT, Security, HR Ops
Scope
Multi-entity · 100K+ employees
Background
Context
Badges are the quiet backbone of a global company. They open doors, anchor identity in dozens of internal systems, and have to follow employees through reorganizations, entity changes, and country moves.
As the company restructured into multiple legal entities, the existing badge system — built around a single-tenant identity model — started to crack. Permissions inherited from the old structure no longer matched the new one, and IT operators were patching mismatches by hand.
Why it mattered
Problem
The system conflated three different concepts: who an employee is, which entity they belong to, and what they're allowed to access. When any one of those changed, all three had to be re-derived manually.
On top of that, every compliance review surfaced new constraints — data residency for badge photos, retention limits for access logs, separation-of-duty rules between regions. Each constraint risked breaking the permission graph for tens of thousands of employees.
What I owned
My Role
I owned three sequential upgrades end-to-end: the multi-entity permission model, the access-log compliance refactor, and the badge lifecycle unification. I worked with security and IT to design the migration plan, with engineering on the data model, and with HR ops on the rollout to make sure no employee was locked out at their door on a Monday morning.
How we built it
Solution Design
Scenario-based automatic access granting
Access permissions were automatically granted based on business scenarios such as travel, dispatch, onboarding, and offboarding. Employees no longer needed to submit manual access requests for standard cases.
Simplified employee card issuance journey
The employee-side card application flow was streamlined by reducing repeated confirmations, simplifying pickup and notification steps, and improving the overall issuance efficiency.
Measurable card production workflow
The card issuance process was redesigned with trackable production steps, enabling card operators' SLA, workload, and processing time to be recorded and quantified.
Multi-entity compliance architecture
The system was restructured to support multiple legal entities with separated data boundaries, entity-specific rules, and compliant operational flows across different tenants.
What changed
Before / After
Before
Identity, entity, and access were tangled in one model; any change required engineering.
After
Three clean layers, each ownable by the right team without code changes.
Before
Migrations risked locking employees out during cutover windows.
After
Dual-write plus reconciliation produced 100% migration accuracy with zero downtime.
Before
Operator satisfaction with the badge experience plateaued at 4.85/5.
After
Satisfaction climbed to 4.97/5 after the unified lifecycle shipped.
Outcomes
Impact
0
Minutes of downtime across three major upgrades
100%
Data migration accuracy across entity restructures
4.97/5
Employee satisfaction (up from 4.85)
3
Compliance-driven upgrades shipped sequentially
What I'd carry forward
Learnings
When a data model conflates concepts, every feature becomes a migration. Separating identity, entity, and access bought us years of cleaner change management.
Zero-downtime isn't a deploy strategy — it's a data strategy. The dual-write window and reconciliation job were the actual product.
For systems people depend on without thinking about, satisfaction is mostly about not surprising them. Most of the 4.85 → 4.97 lift came from things employees never had to notice.