User Roles: Calculation of the Restriction Level for a User

In this topic, you will learn how the system calculates a restriction level to a system object for a user with multiple roles assigned.

Calculation of the Restriction Level to Forms

If a user has multiple roles assigned and the roles have different restriction levels to a system object, the following general rule is used: MYOB Acumatica applies the most permissive level among the roles.

For example, suppose that a user is assigned the Employee and Sales Manager roles. The Employee role has the Revoked restriction level for the Inventory workspace, and the Sales Manager role has the Granted restriction level for the same workspace. With these settings, the user has the Granted restriction level to the forms in the Inventory workspace. The following table shows how the system calculates the final restriction level to forms of the workspace.

User Role Restriction Level User’s Final Level to Forms
Employee Revoked Granted
Sales Manager Granted

Calculation of the Restriction Level to a Form’s Nested Objects with the Inherited Level

If a user has multiple roles assigned and the roles have the Inherited restriction level to a particular container or form element, the resulting level is the most permissive level of the system object at a higher level for which a restriction level is specified explicitly—the form (for a container) or the form element container (for a form element).

Suppose that a user is assigned the Employee and the Accountant user roles. The Employee role has the Revoked restriction level to the Customers (AR303000) form, and the Accountant role has the Edit level to this form. The restriction level both roles have to the form elements is Inherited. The user with these roles, then, has the Edit access level to the Customers form and its elements. The following table shows how the system calculates the final restriction level to nested objects with the inherited level.

User Role Restriction Level to a Form Restriction Level to the Form’s Nested Objects User’s Final Level to the Form and its Nested Objects
Employee Revoked Inherited Edit
Accountant Edit Inherited

Calculation of the Restriction Level to a Form’s Nested Objects with a Specified Level

If a user has multiple roles assigned and you have explicitly specified a restriction level to a particular form element container or form element for at least one role (while the other roles have the Inherited level to this system object), then the resulting level of access rights is the most restrictive among the roles with explicitly defined restriction levels. (In making this determination, the system ignores the levels of the roles with the Inherited level of access rights.) This algorithm is used to optimize the speed of loading the form.

Suppose that a user is assigned the Employee, Warehouse Worker, and Sales Assistant user roles. All these roles have the Insert restriction level to the Receipts (IN301000) form. For the Release button on this form, the Employee role has the Inherited restriction level (which the system ignores), the Warehouse Worker role has the Revoked level, and the Sales Assistant role has the View Only level. As a result, the user has the Revoked restriction level (the most restrictive level of the two explicitly defined levels) to this button. The following table shows how the system calculates the final restriction level to nested objects with a specified level.

User Roles Restriction Level to the Form Restriction Level to a Nested Object User’s Final Level to the Nested Object
Employee Insert Inherited Revoked
Warehouse Worker Insert Revoked
Sales Assistant Insert View Only