Platform: Changes to the Management of Access Rights

In previous versions of MYOB Acumatica, when a user created a new system object (for example, a form) and did not explicitly specify its access rights, the system automatically assigned the Not Set restriction level to this object for all user roles. The Not Set restriction level indicates that users with all roles have access to this system object until at least one role is assigned any other restriction level to it. As a result, this new system object became available to all users in the system, which could cause security issues.

In MYOB Acumatica 2024.1, the logic of setting restriction levels for system objects has been reworked. Also, the procedure of publishing the forms to the UI has been improved for generic inquiries, pivot tables, dashboards, report definitions, export scenarios, import scenarios, and application resources. The procedure now provides a straightforward configuration of the initial access rights during publication. Also, in Customization Project Editor, the process of managing access rights has been reworked and simplified.

The following sections describe these changes in detail.

Changes to Restriction Levels

In MYOB Acumatica 2024.1, the Not Set restriction level has been removed from the system.

On system upgrade to 2024.1, for each existing system object, the system will update the access rights as follows:

If the access rights for a system object were set to Not Set for all user roles, these access rights will be converted to Granted for all user roles.
If at least one role is assigned the Delete, Insert, Edit, View Only or Revoked restriction level explicitly, all Not Set access rights will be converted to Revoked. All other access rights will not be changed.

As an example, the first screenshot shown below shows the access rights that were configured for the Bank Deposits (CA305000) form in an MYOB Acumatica 2024.1.1 instance. The second screenshot shows the access rights for the same form after the instance has been upgraded to 2024.1. At least one user role has Granted or Revoked access to this form, so during the upgrade, the system changed the Not Set access rights to Revoked.

Figure 1. Updated access rights for the Bank Deposits form

Configuration of Access for New Forms

In previous versions of MYOB Acumatica, an administrative user did not specify access rights during the publication procedure for generic inquiries, pivot tables, dashboards, report definitions, export scenarios, import scenarios, and application resources. The user had to select the Make Visible on the UI check box to publish a form (that is, to assign it a screen identifier and make it available in the specified workspace) on the following forms:

Generic Inquiry (SM208000) form
Pivot Tables (SM208010) form
Dashboards (SM208600) form
Report Definitions (CS206000) form
Export Scenarios (SM207025) form
Import Scenarios (SM206025) form
Application Resources (SM301010) form

In MYOB Acumatica 2024.1, the publication procedure has been reworked. The Make Visible on the UI check box has been removed from the forms listed above.

The Publish to the UI button has been added on the form toolbar of these forms, as shown in the following screenshot (which shows the button on the Generic Inquiry form). By clicking this command, the user can add a new site map node to the site map and grant the required permissions for the added screen.

When the user clicks Publish to the UI on the form toolbar, the Publish to the UI dialog box (shown in the screenshot above) opens. In this dialog box, the user specifies the following information:

Site Map Title: The name of the form that will be shown on the Site Map form
Workspace: The workspace in the user interface from which the form can be accessed
Category: The name of the category under which the form will be displayed in the selected workspace
Screen ID: The identifier to be assigned to the form

Also, in the Access Rights section of the dialog box, the user selects one of the following option buttons to indicate which access rights should be specified for the newly added form:

Set to Granted for All Roles: The system will set the access rights for this form to Granted for all user roles in the system.
Set to Revoked for All Roles: The system will set the access rights for this form to Revoked for all user roles in the system.
Copy Access Rights from Screen (default): The system will copy the set of the access rights from the specified form.

After the user specifies the needed settings and clicks Publish in the dialog box, the form is published. That is, it is assigned a screen identifier and becomes available in the specified workspace. Also, the system adds the new site map node for this form to the site map and applies the appropriate access rights to this site map node.

A user with administrative rights can adjust the granted access rights for the form on the Access Rights by Screen (SM201020) form.

Note: If the user publishes a generic inquiry that is used as a substitute form for some data entry form, the system applies the access rights specified for the generic inquiry to the data entry form as well.

Removal of Published Forms from UI

In previous version of MYOB Acumatica, a user had to clear the Make Visible on the UI check box on one of the following forms to remove a published generic inquiry, pivot table, dashboard, report definition, export scenario, import scenario, or application resource from the UI:

Generic Inquiry (SM208000) form
Pivot Tables (SM208010) form
Dashboards (SM208600) form
Report Definitions (CS206000) form
Export Scenarios (SM207025) form
Import Scenarios (SM206025) form
Application Resources (SM301010) form

In MYOB Acumatica 2024.1 this check box has been removed from these forms. The Unpublish command has been added on the form toolbar and more Menu of the forms listed above so that a user can remove a site map node from the site map.

When the user opens a record on any of the listed forms and clicks Unpublish on the form toolbar or More menu, the system removes the site map node related to the selected record from the site map and deletes all configured access rights from the database.

Access Rights for a New User Role

If an administrative user creates a new user role, the system now automatically sets the access rights for this role to Revoked for all system objects, as shown in the following screenshot. Then the user must explicitly set up access rights for this role on the Access Rights by Role (SM201025) form.

Figure 3. Default access rights set for a new user role

Access Rights for a New Form Added to Site Map

If an administrative user adds a new site map node directly on the Site Map (SM200520) form, the system will automatically set the form’s access rights to Revoked for all user roles. Then the user should grant access to this form to particular user roles on the Access Rights by Screen (SM201020) form.

Configuration of Access Rights in the Customization Project Editor

The process of configuring access rights in customization projects has also been reworked and simplified. Now when a user opens the Access Rights page of the Customization Project Editor and clicks the Add New Record button on the form toolbar, the Add Access Rights for Screen dialog box opens, as shown in the screenshot below.

In this dialog box, the user selects the form for which the access rights should be configured. The user also specifies the merge rule, which is the way the system should apply the access rights, by selecting one of the following option buttons:

Grant All: Set access rights to Granted for all roles
Revoke All: Set access rights to Revoked for all roles
Apply and Reset: Apply access rights from the customization project and set them to Revoked for the roles that are not included (in the customization project)
Apply and Keep (default): Apply access rights from the customization project and keep them unchanged for the roles that are not included (in the customization project)

Figure 4. Configuration of access rights in a customization project

Note: The merge rule that the user specifies in this dialog box is shown in the Merge Rule column of the table on the Access Rights page.

If a customization project does not include explicitly specified access rights on the Access Rights page, the following rules are applied when the customization project is being published:

If a site map node does not exist in the target instance, the site map node will not be available for any roles; the access rights will be set to Revoked. That is, after the customization has been published, the system administrator should grant the access rights explicitly.
If a site map node already is on the target instance, the existing access rights remain unchanged.

In a customization project migrated from a previous MYOB Acumatica version, on the Access Rights page, the system will insert Apply and Keep in the Merge Rule for all listed forms. The system does this regardless of the option in the Reset Permissions column in the table on the Access Rights page. (This column has been removed from the page.) With this merge rule, during the publishing of the customization project, the access rights specified in the customization project will be applied to the instance, and all other roles will remain unchanged.

Other UI Changes

On the Generic Inquiry (SM208000) form, the Change Screen ID command has been removed from the form toolbar. A user now can change the identifier assigned to the inquiry in the Publish to the UI dialog box.