Types of Restriction Groups
Restriction groups in MYOB Advanced provide additional flexibility to the configuration of access rights for suites, modules, and forms. (For details, see Managing User Access.) You can use restriction groups when users should have access to a form, but on this form they are allowed to see one set of entities and are not allowed to see another set of entities.
With different types of restriction groups, you can configure simple and complicated rules of visibility for entities. In this topic, you will find descriptions of the types of restriction groups, the differences between the types, and usage examples.
When you add users and entities to a group, the system restricts the visibility of the entities to the users. When you add entities of two different types to the group and don't add users, these entities can be used only with one another when users select values of the entities on forms. For example, if you add a GL account and subaccounts to the group, and a user selects the included account on a form, only the included subaccounts are available for selection.
Types of Restriction Groups
MYOB Advanced provides two basic types of restriction groups—A and B. Restriction groups of both types can limit the visibility of system entities in a direct way (types A and B) and an inverse way (types A Inverse and B Inverse). The differences between A and B and between A Inverse and B Inverse are in how these groups work if the same entity is added to multiple groups. For detailed descriptions of each group type, see Descriptions of Types of Restriction Groups.
For more examples of using restriction groups of all types, see Usage Example 1, Usage Example 2, and Usage Example 3.
The following table summarizes the types of restriction groups and describes how the visibility of entities is affected if a particular entity belongs to multiple groups of the type.
Group Type | Restriction | Description |
---|---|---|
A | Direct |
Makes entities included in the group visible to users who are also included in the group. Other users cannot view these entities. When a particular entity belongs to multiple groups of type A, if you want a user to see this entity in the system, you add the user to at least one of these groups. |
A Inverse | Inverse |
Hides the entities included in the group from users who are also included in the group. Users who are not assigned to this group can view and use the entities. When a particular entity belongs to multiple groups of type A Inverse, if you don't want a user to see this entity, you must include this user in each of these groups. If you include the user in only one of the groups, he or she will see the entity in the system. |
B | Direct |
Makes entities included in the group visible to users who are also included in the group. Other users cannot view these entities. When a particular entity belongs to multiple groups of type B, if you want a user to see this entity in the system, you need to include this user in each of these groups. |
B Inverse | Inverse |
Hides the entities included in the group from users who are also included in the group. Users who are not assigned to this group can view and use the entities. When a particular entity belongs to multiple groups of type B Inverse, if you don't want a user to see this entity in the system, you include the user in at least one of these groups. |
Usage Example 1
Problem statement: Suppose that as a system administrator, you have to configure the visibility of accounts to the appropriate users considering the following:
- There are four accountants in your organization: User C, User D, User Y, and User Z.
- User M is the accounting manager who controls work of the accounting department.
- There are six accounts in the General Ledger module: Account 1, Account 2, Account 3, Account 4, Account 5, and Account 6.
- Users C and D are allowed to see Accounts 1, 2, and 3.
- Users Y and Z are allowed to see Accounts 4, 5, and 6.
- User M is allowed to see all accounts.
So Accounts 1, 2, and 3 should be visible to Users C, D, and M (and should be hidden from all other users), and Accounts 4, 5, and 6 should be visible to Users Y, Z, and M (and should be hidden from all other users).
You can use either of two solutions (described below) to configure the visibility of accounts to users.
Solution 1: To address the problem of Usage Example 1, you can create three restriction groups of type A—Group 1, Group 2, and Group 3 (see the diagram below, including the user visibility shown in Final Visibility (Group Type A)):
- Group 1: In this group, you include Accounts 1, 2, and 3 and Users C and D.
- Group 2: In this group, you include Accounts 4, 5, and 6 and Users Y and Z.
- Group 3: In this group, you include User M and all six accounts.
Solution 2: As a second way to address the problem of Usage Example 1, you can create two restriction groups of type A or B—Group 1 and Group 2 (see the following diagram):
- Group 1: In this group, you include Accounts 1, 2, and 3 and Users C and D.
- Group 2: In this group, you include Accounts 4, 5, and 6 and Users Y and Z.
- You include User M in both groups.
Usage Example 2
Problem statement: Suppose that as a system administrator, you have to configure the visibility of accounts to the appropriate users considering the following:
- There are four accountants: User C, User D, User Y, and User Z.
- There are six accounts in the General Ledger module: Account 1, Account 2, Account 3, Account 4, Account 5, and Account 6.
- User Y works with only one sensitive account, Account 1; User Y is not allowed to see the following accounts: Account 2, Account 3, Account 4, Account 5, and Account 6.
- The other accountants work with all accounts except Account 1.
- Only accountants have access to the Finance suite. (Thus, there is no need to hide accounts from other system users.)
Solution: To address the problem of Usage Example 2, you can create two restriction groups—Group 1 of type A or B, and Group 2 of type A Inverse or B Inverse. (If you select type A for Group 1, you should select type A Inverse for Group 2. If you select type B for Group 1, you should select type B Inverse for Group 2.) These groups are defined as follows:
- Group 1: In this group, you include User Y and Account 1. (Other users will not see Account 1.)
- Group 2: In this group, you include User Y and Accounts 2 to 6. (User Y will not see these accounts.)
The following diagram illustrates the proposed solution.
Usage Example 3
Problem statement: Suppose that as a system administrator, you have to configure the visibility of accounts to the appropriate users considering the following:
- There are four accountants in your organization: User C, User D, User Y, and User Z.
- There are six accounts in the General Ledger module of your organization: Account 1, Account 2, Account 3, Account 4, Account 5, and Account 6.
- Users С and D should work with all six accounts.
- User Y should work with Accounts 1, 2, and 3 but is not allowed to see Accounts 4, 5, and 6.
- User Z is a junior accountant, so this user is not allowed to see the accounts.
You can use either of two solutions (described below) to configure the visibility of accounts to users.
Solution 1: To address the problem of Usage Example 3, you can create two groups of type B Inverse—Group 1 and Group 2 (shown in the diagram below, with the user visibility shown in Final Visibility (Group Type B Inverse)):
- Group 1: In this group, you include User Y and Accounts 4, 5, and 6.
- Group 2: In this group, you add User Z and Accounts 1, 2, 3, 4, 5, and 6.
Solution 2: As a second way to address the problem of Usage Example 3, you can create two groups of the A Inverse or B Inverse type—Group 1 and Group 2:
- Group 1: In this group, you include User Z and Accounts 1, 2, and 3.
- Group 2: In this group, you include Users Y and Z and Accounts 4, 5, and 6.
The following diagram illustrates Solution 2.
Recommendations for Selecting the Restriction Group Type
As you decide which type of restriction group best meets your security needs, consider the following recommendations:
- When you create multiple groups with entities of the same combination of types (for example, suppose that you have two restriction groups that include users and customers), use groups of the same basic type (either A or B). (Otherwise, if you were to add the same entity to multiple groups of different types, the result may not be what you expect.)
- To configure the required visibility of entities, you can combine direct and inverse restriction groups of the same basic type (either A or B), as was done in the solution of Usage Example 2. Thus, you can combine groups of types A and A Inverse, and groups of types B and B Inverse.
- If you want to hide particular entities from the majority of users, include the entities and the users who should see the entities in a group with direct restriction (type A or B).
- If you want to hide particular entities from a small number of users, add the entities and the users who shouldn't see the entities to a group with inverse restriction (type A Inverse or B Inverse).