Technical Articles
How to set up access restrictions in Business ByDesign
In this blog, we are going to see how to restrict the business users from reading or editing the data in Business ByDesign
There are two ways to configure access restrictions to the Business Users.
- Creating a Business Role and assigning it to Business Users.
- Assigning the Access Restrictions using Edit Access Rights option in Application and User Management.
Assigning Access Restrictions using Business Role:
1. Go to Application and User Management -> Business Roles.
2. Click New -> Business Role and Enter the Business Role id.
3. In the Next Tab Work Center and View Assignments, Select the work centers you want to assign to this Business Role.
4. In the Next screen, you need to define, how you are going to restrict the access to the Work centers ( Here we are taking the example of Accounts Work centre).
5. Select the Read Access as restricted for the work center view BPM_ACCOUNTS. Once you select the Read Access as Restricted, you can see that Restriction Rule drop down was enabled below. If there is no restriction selected, then the user will have unrestricted read and write access to the work center view.
Note : Only the view with Access Context can be restricted. In this case, only the views BPM_ACCOUNTS, BPM_HIGHVOLUMEACCOUNTS,CRM_ACTIVITIES can be restricted.
6. In the next step, you need to define how you are going to restrict the access using the Restriction Rule. For the work center view BPM_ACCOUNTS, there are two restriction rules available
- 01 – Restrict to Employee – If you choose this restriction rule, Business Users can only see the Accounts for which he is the Employee Responsible.
- 99 – Define Specific Restrictions – If you choose Access Restriction 99, you need to select theĀ Employees manually and when the Business User logins into the system, Business User can see all the Accounts where the selected Employees are Employee Responsible.
- Note : 99 Restriction Rule is not recommended in case you have huge amount of data in the system, since it will cause performance issues.
- Go to Application and User Management -> Business User.
- Select the Business User and then click Edit -> Access Rights.
- Go to the Business Role Assignment Tab -> Assign the Business Role to the user and then save.
- Navigate to the Access Restriction tab and you can see that the Access Restriction from Business Roles are copied.
8. Whenever you do any changes in the Business Role after assigning it to the user, you need to do the update using Assigned Users -> Update Users. This will apply the changes made in the Business Roles to the business users.
Assigning Access Restrictions using Manual Assignment:
- Go to Application and User Management -> Business User.
- Select the Business User and then click Edit -> Access Rights.
- Go to Work Center and View assignment tab and then select the work center you want to assign to the user.
Once you assign the work center, you can see those work centers in the Access Restriction Tab.
- In this tab, once you select the read access as Restricted for a particular work center view, system will let you to choose the Employees under Detailed Restrictions. When the Business User logins to the system, he can only see the Accounts for which these employees are Employee Responsible.
Note :
- If there is no Employee Responsible assigned to the Account, Business Users can see those Accounts without any restriction. These Records are called Faceless records and system could not determine any restriction since there is no Employee Responsible maintained for Accounts.
- The Access Restriction Rules varies based on the Acces Context defined for the work center view. (Ex) In case of Suppliers, the access context is based on Company. In that case, Users can only see the Payment Data of the Company for which the access was granted.
- The work center PDI_PARTNER_DEVELOPMENT gives unrestricted access for all the views assigned to the user. Hence, the access restriction won’t work for that user.
Hi Palanikumar Subramanian
Thank you so much for the information, it is really helpful.
Just would like to get your thought on the access context to AR(Invoice Documents) & Inventory Valuation of which the access context is "1007 - Company".
#1: is there anyway with configuration/parameter setting to allow only specific users to access specific customer AR ?
#2: If no, is it possible to change this access context to like "1010 - Employee"?
If there is anything unclear, please kindly let me know.
any good idea will be really welcome.