User access restrictions control access to functionality on various levels:
They determine which functions users may access.This covers the access of UI pages and menus.
In addition, the restrictions indicate which protected data may be accessed from the functions.For example, a user can access a normal address, but cannot see a secured address.
The restrictions indicate if the user may read, create, update, and/or delete data.
Protected data refers to data that requires fine grained security.By default, data is implicitly protected by controlling access to the functions that create, read, update and delete it.Data that requires more protection than this is referred to as protected data.With protected data, the values of specific fields are also taken into consideration.For example, contracts can be protected based on the data access group.This protection is in addition to the protection from controlling access to the contract screens.
Function and data access should be coordinated.In order to access protected data, users must have access to both the protected data and the functions that maintain the data.
For convenience, access restrictions are defined per 'functional' role and users are given access to the roles.This simplifies administration of user access by allowing set up to be done per role instead of per user.When several users perform the same role, the role can be set up once, and all the users can be assigned to it.Users may be assigned to more than one role.In this case access is cumulative (users have access to the functions and protected data that is included in any of their roles).
This document describes the data model that is the basis for implementing user access restriction functionality.
Access Restriction Grant
An access restriction grant connects a role to an access restriction.Users with this role, get the right to access a function or data that is protected by the access restrictions.
Furthermore, it indicates the level of access in terms of having read, create, update and/or delete rights by setting the Create, Retrieve, Update and Delete (CRUD) indicators.Meaning of these indicators differ, depending on the specific type of access restriction.
For details, refer to the data access restrictions chapter.
Field | Description |
---|---|
Access Role | The access role the grant is for. |
Access Restriction | The access restriction to which access is granted. |
Create indicator | Depends on the type of access restriction. |
Retrieve indicator | Depends on the type of access restriction. |
Update indicator | Depends on the type of access restriction. |
Delete indicator | Depends on the type of access restriction. |