Configuration of Restriction Groups
After you have prepared all necessary information about restriction groups, you can start configuring them, as described in this topic.
Overview of the Configuration Process
The configuration process of row-level security in MYOB Acumatica includes the following steps:
- You create the restriction group of a required type by using the appropriate form (which depends on the entities that you want to add to a restriction group). For the list of entities, see Scenarios of Using Restriction Groups.
- If the group should include users, you add entities and users to the group.
- If the group should not include users, you add related entities to the group.
- Optional: You specify default restriction groups for entity classes as needed to simplify adding new entities of these classes to the restriction groups. For details, see Operations with Restriction Groups.
At any time, you can include entities in previously created restriction groups (for example, when you need to make an entity visible to a new user). For details, see Adding Entities to an Existing Restriction Group in Operations with Restriction Groups.
Combinations of Restriction-Group Entities
MYOB Acumatica supports a variety of scenarios of configuring the visibility of entities within the system. With the most common scenarios, you can create restriction groups that include the following system entities:
- Users and general ledger (GL) accounts: With these restriction groups, if your organization has sensitive GL accounts, you can make these accounts visible to a limited number of employees. For details, see Account and Subaccount Security.
- Users and subaccounts: As with groups that include users and GL accounts, you
can limit the visibility of sensitive subaccounts to employees. For more
information, see Account and Subaccount Security.Note: For performance reasons, visibility restrictions by user for subaccounts do not affect analytical (ARM) and form-based reports or general inquiries. This means that users who can view the reports and general inquiries that include subaccounts will see the full list of subaccounts.
- Users and vendor accounts: You can define these restriction groups to make particular vendors visible in the system to only employees who work with these vendors. For details, see Vendor Security.
- Users and customer accounts: With these restriction groups, you can make particular customers visible to only employees who work with these customers. For details, see Customer Security.
- Users and GL budget articles: With these restriction groups, you can limit the visibility of sensitive budget articles so that only particular users can see and work with these articles. For more information, see Security of GL Budget Articles.
- Users and warehouses: You can create restriction groups to display a particular warehouse (or a set of warehouses) for only employees who work with this warehouse (or this set of warehouses). For details, see Warehouse Security.
- Users and inventory items: You can define these restriction groups to reduce the number of items shown in lists with inventory items, depending on the particular employee signed in to the system. For more information, see Inventory Item Security.
- Users, project groups, and projects: You can define these restriction groups so
that particular projects or group of projects are visible to only the users
responsible for the included project or projects.Important: Restriction groups configured for branches do not affect the visibility of projects that have these branches specified on the Summary tab of the Projects (PM301000) form. You can manage the visibility of projects to particular users by creating restriction groups on the Project Access (PM102000) form. For more information on configuring access for projects, see Project Security.
- Users and account groups: You can define these restriction groups so that particular project transactions that include sensitive data are visible to only particular users. For more information, see Project Security.
- Users and printers: If the DeviceHub feature is enabled on the Enable/Disable Features form (CS100000), you can define these restriction groups to configure the visibility of printers to particular users. For more information, see To Configure Printer Access.
- Branches, GL accounts, and users: With these restriction groups, you can allow users to work with only branch-specific accounts. For details, see Account and Subaccount Security.
- Branches, subaccounts, and users: You can set up these restriction groups so that the system displays to users only the branch-specific subaccounts. For more information, see Account and Subaccount Security.
- Branches and cash accounts: If there are multiple branches in your organization, with these restriction groups, you can allow users in each branch to work with only branch-specific cash accounts. For details, see Security of Cash Accounts.
- GL Accounts and Subaccounts: If you have subaccounts that employees must use only with particular GL accounts, by defining these restriction groups, you can set up lists of available subaccounts for each GL account. For more information, see Account and Subaccount Security.