If there is a mitigating control in the system and I want to tie it to certain users for a specific amount of time is it best to mitigate the user's or the role that the user's are tied to instead?