User Access: General Information
To access MYOB Acumatica, an individual must have a user account in the system and a user role assigned to the account. Each account includes a login (that is, a username), a password, and other properties, such as the user’s first and last name, email address, password policy options, and the set of roles that control the user's access to the system objects.
Learning Objectives
In this chapter, you will learn how to do the following:
- Create a user account and assign roles, which combine to provide the access rights necessary for the user to perform job responsibilities, to the user account
- Assign a role to multiple users
- Modify access for an existing user account
- Review users' access to system objects
Applicable Scenarios
You manage user access in the following cases:
- You, as an implementation consultant, initially implement MYOB Acumatica for your client and are ready to give access to company employees.
- You, as a system administrator, were notified about a new hire and need to give appropriate access to the system for the new employee.
- You, as a system administrator, were notified about a change of an employee’s position and need to change access for this employee according to the new responsibilities.
User Authentication and Authorization
MYOB Acumatica requires users to authenticate themselves by using the appropriate username and password. After successful authentication, user membership in roles is checked. Then based on their roles, users may access only the resources and perform only the actions they are authorized to.
A user that has not been assigned any roles has no access to the system. If the user has multiple roles that have different levels of access rights to an entity, the most permissive level applies.
The method of user authentication in MYOB Acumatica can be one of the following:
- Local: User accounts are created and managed directly in MYOB Acumatica.
- External: If MYOB Acumatica is integrated with an external identity management system, then user accounts and roles are created and managed in the integrated system. For details on integration with the supported systems, see Integration with Active Directory, Integration with AD FS, and Integration with Azure Active Directory.
To make the authentication process easier for your users, you can configure single sign-on with external identity providers, such as Google and Microsoft Account. For details, see Integrating MYOB Acumatica with OpenID Identity Providers.
Also, MYOB Acumatica provides two-factor authentication, so that access to the system is granted only after the user successfully presents to the system additional evidence of authentication in addition to the user credentials (that is, the username and password).
User Access Configuration
To configure each user's access to MYOB Acumatica, you perform the following steps on the Users (SM201010) form:
- You create a user account and specify the username, the password, the user's first and last name, and the email address.
- If your organization uses specific security policies, you apply them to the user account. For more detailed information on security policies for user accounts, see User Access: User Access Security.
- You define access to the system objects by assigning a set of roles to the user; these roles correspond to the user's job responsibilities.
Ways to Generate and Share User Credentials
When you create a new user on the Users (SM201010) form, the system automatically generates a password for the user—that is, inserts the masked password in the Password box. You can clear the Generate Password check box for the new user and enter a password (which can be generated by any third-party tool) in the Password box.
For an existing user, you can click Reset Password on the form toolbar. In the dialog box that opens, you enter a new password for this user, confirm the password, and click OK.
When you save user settings for the first time, if a default system email account is configured and a corresponding notification template is specified on the Email Preferences (SM204001) form, the system sends an email with user credentials to the address you have specified in the Email box for the user.
If a system email account is not configured or if you do not want to share credentials by using email services, you can share credentials by using third-party services you trust. In this case, you specify passwords manually for the users in MYOB Acumatica and share user credentials by using a third-party tool.
Role Assignment
To give a user access to the system objects, you need to assign to this user a role or a combination of roles; roles provide the access necessary to perform job responsibilities. For details on the configuration of user roles, see User Roles: General Information.
To assign multiple roles to a selected user, you use the Users (SM201010) form. For example, you use this way when you have created a new user account and want to assign existing roles to it.
To assign a selected role to multiple users, you use the User Roles (SM201005) form. For example, you use this way when you have created a new role and want to assign it to existing users.
Role-Based Access
To access MYOB Acumatica, users must pass authentication to confirm their identity (that is, sign in to the system). Then users pass authorization to determine their access rights to the system objects. Users’ roles determine which objects they are allowed to use and which actions they are authorized to perform. A user with no role assigned to it has no access to the system.
You may take different approaches in configuring each user's access: assigning a single role to a user or assigning a combination of roles to a user. This may affect how the system calculates an individual user access. A role defines access rights to system objects with a restriction level set for these objects.
The set of restriction levels available for the system objects depends on the object type. For some objects, you can specify a more granular level; for others, you can either allow or deny the access. For details, see User Roles: Restriction Level Options.
If a combination of roles is assigned to a user, some of these roles may have different restriction levels set to the same system object. The way the system calculates the final restriction level depends on a system object for which levels are different among the roles assigned to a user. For details, see User Roles: Calculation of the Restriction Level for a User.
You can view the user access rights to a particular form, container, or form element by using the Access Rights by User (SM201055) form. For details, see User Access: Related Reports and Forms.
Monitoring of Access Configuration
Access configuration, once established, should be subject to regular review and modification. People in an organization move across roles and projects or leave the company, and new people are hired. Job responsibilities for a particular employee or a whole department can be changed. You should keep the user access configuration in compliance with the company’s changed business processes, to make sure that its sensitive data is protected from unwanted access.
We recommend establishing a process of requesting access to particular system objects. Such requests should be justified by changes in the job responsibilities and approved by superiors.
You should be notified each time an employee is leaving the company or a contractor with access to the system has completed their project. You can either deactivate user accounts for these people or clear the list of assigned roles if you need to keep the user account for some reason.
We also recommend regular review of the list of user roles. You can either delete unused roles that are assigned to no users or add some prefix to the descriptions of the roles if you want to keep them for some reason. You should determine the number of roles you can maintain to effectively secure access to the system and try to keep the list within this number.
Also, we recommend that you regularly review the history of users' access to MYOB Acumatica forms that contain company data, to identify unexpected or unwanted access behavior.
You can use reports and inquires provided by MYOB Acumatica for monitoring access configuration. For details, see User Access: Related Reports and Forms.