Our administrators have two accounts, a standard account and an elevated account for administrator work.
We have one role for each account.
Both accounts are mapped to the identity of the user.
The issue I am running into setting membership for the role. It wants to add both roles to both accounts.
Set up separate identities for each account. The downside, when we terminate an administrator, we have check two identities for the termination.
if the membership rule can only be applied to one of the accounts, then maybe we can leaved them mapped? I have not been able to get this to work yet.
I am interested in finding out what others have done.