User Roles: To Configure a Role with Granular Access
In the following activity, you will learn how to create a role with granular access to a system object.
Story
Suppose that the CFO of the SweetLife Fruits & Jams company has decided that only employees authorized by the CFO are allowed to reprint checks. To accommodate this requirement, you, as a system administrator, have decided to create a granular role that will give access to only the reprinting of checks and forbid access to this operation for all other roles. As a result, only users that have full access to accounts payable (that is, only users that are assigned a role that gives this access) can be authorized to reprint checks by being assigned this granular role on request from the CFO.
Process Overview
You will use the User Roles (SM201005) form to create the AA_AP_Reprint_Checks role. You will use the AA prefix for the role to have it at the top of the list, combined with _AP to indicate the functional area.
You will use the Access Rights by Screen (SM201020) form to modify access to the Reprint and Reprint With New Number operations as follows:
- You will determine roles that also have full access to the Release Payments (AP505200) form. You can exclude from
consideration the roles that have the View Only and Revoked access
to the form, as well as the roles that you are not using for managing user
access (for example, predefined roles delivered with MYOB Acumatica). In this activity, you can assume that the Accountant and
Purchasing Manager roles meet these criteria. That is, these roles
are used for user access management and have a restriction level higher than
View Only.Tip:To form the list of roles that need modification, you can use filters for the table columns in the right pane of the form or create an advanced filter in the same pane. For details, see Filtering and Sorting in MYOB Acumatica.
- You will modify access rights to a form container for these roles. The
Reprint and Reprint With New Number operations are stored in
the ReleaseChecksFilter container of the Release Payments
form. Initially, all three roles will have the Inherited restriction
level set to the container and form elements. Thus, before modifying access
rights to the actions, you need to modify access to their parent container.
You will change the restriction level set for the container from Inherited to a specific one. In this case, you will revoke access to the container for the newly created role (AA_AP_Reprint_Checks), because you need to grant access to only two elements for this role. For the other two roles, you will set the Delete level for the container, because you need to restrict access to only two elements and allow access to all others.
After you have modified access to the container, its nested elements will still have the Inherited restriction level. (While calculating the restriction level for a user, the system takes into account only the roles for which an explicit level is set.)
- Because you will use the granular role in combination with other roles, you will explicitly revoke access to the form elements for other two roles and grant access to the Reprint and Reprint With New Number operations for only the granular role.
The following table summarizes changes that need to be done. For details on how the system calculates a restriction level for a user, see User Roles: Calculation of the Restriction Level for a User.
Roles / System Objects | Release Payments (form) | ReleaseChecksFilter (form container) | Reprint and Reprint with New Number (form elements stored in the container) | |||
---|---|---|---|---|---|---|
Initial Level | Configured Level | Initial Level | Configured Level | Initial Level | Configured Level | |
AA_AP_Reprint_Checks | Revoked | Revoked | Inherited | Revoked | Inherited | Edit |
Accountant | Delete | Delete | Inherited | Delete | Inherited | Revoked |
Purchasing Manager | Delete | Delete | Inherited | Delete | Inherited | Revoked |
System Preparation
Launch the MYOB Acumatica website, and sign in to a company with the U100 dataset preloaded. You should sign in as a system administrator, by using the gibbs username and the 123 password.
Step 1: Creating a Role
To create a role, do the following:
- On the User Roles (SM201005) form, add a new record.
- In the Role Name box, type AA_AP_Reprint_Checks.
- In the Role Description box, type Role to reprint AP checks.
- On the form toolbar, click Save.
Step 2: Modifying the Access Rights to the Container and Form Elements
To modify the restriction levels for the container and form elements, do the following:
- Open the Access Rights by Screen (SM201020) form.
- In the left pane, expand the ReleaseChecksFilter node, which is the container for the reprint operations. nodes, and select the
- In the right pane, do the following:
- In the Access Rights column, select Revoked for the AA_AP_Reprint_Checks role.
- In the Access Rights column, select Delete for the Accountant and Purchasing Manager roles.
- On the form toolbar, click Save.
- In the left pane, expand the ReleaseChecksFilter node, and select the Reprint element.
- In the right pane, do the following:
- In the Access Rights column, select Edit for the AA_AP_Reprint_Checks role.
- In the Access Rights column, select Revoked for the Accountant and Purchasing Manager roles.
- On the form toolbar, click Save.
- By performing similar actions to those in Instructions 3–5 of this step, modify the access rights for the Reprint With New Number element. (That is, you need to select the Reprint With New Number node and then select Edit for the AA_AP_Reprint_Checks role, and select Revoked for the Accountant and Purchasing Manager roles.)
You have created and configured a role with access to only one form, and you have restricted the access to two operations on this form for other roles in the system that have access to this form.
Step 3 (Optional): Verifying the Configured Access
To verify the configured access to the actions, do the following:
- Open the Access Rights by User (SM201055) form.
- In the Login box, select pasic. This user is assigned the Accountant role.
- In the left pane, expand the ReleaseChecksFilter node. nodes, and select the
- In the right pane, verify that access to the Reprint and Reprint With New Number elements is revoked. That is, the Revoked option is displayed in the Access Rights column.
- Open the Users (SM201010) form.
- In the Login box, select pasic.
- On the Roles tab, for the row with AA_AP_Reprint_Checks in the Role Name column, select the check box in the Selected column.
- On the form toolbar, click Save.
- Open the Access Rights by User form.
- In the Login box, again select pasic. You have assigned this user the AA_AP_Reprint_Checks role, and before that the user was already assigned the Accountant role.
- In the left pane, expand the ReleaseChecksFilter node. nodes, and select the
- In the right pane, verify that the Edit option is displayed in the Access Rights column for the Reprint and Reprint with New Number elements. This indicates that the user has access to these elements.
- In the right pane, select the row with the Reprint element, and click View Roles on the table toolbar.
- In the View Roles dialog box, which opens, review the list of roles assigned to the selected user and the access rights that each role has to the element, as shown in the following screenshot. The system gives the user the most permissive restriction level to the element (see Item 1 in the screenshot) among the roles with explicitly defined restriction levels (Item 2). The system ignores the roles with the Inherited level of access rights.