Authorization methodology differences
Users can be assigned to multiple user groups. If a user is linked to two user groups, one with filters and one without filters, the functional/data access is different:
Combining data and functional access | Separating data and functional access |
|---|---|
the access rights of users expands, granting full access/allowing all actions. | Access rights of users is decreased, limiting the access/available actions. |
When using authorization links, and a user is linked to two user groups, one with links and one without links, the functional/data access is different:
Combining data and functional access | Separating data and functional access |
|---|---|
The link is only applied to the data set of the linked user group | The link is applied to the data set of both user groups. |
Examples
The following scenarios will further help understand the authorization methodology differences.
Imagine three users having access to all, or parts of the following data:
Data set Amsterdam | ||
|---|---|---|
Total number of orders | Orders > €1000 | Orders < €1000 |
750 | 250 | 500 |
Data set Maastricht | ||
|---|---|---|
Total number of orders | Orders > €1000 | Orders < €1000 |
550 | 300 | 250 |
Combining functional and data access
Each user group has its own function profile and action filter.
Separating functional and data access
Only a single function profile is required, splitting role (fields, actions, etc.) and data access.
Combining functional and data access (and using authorization links)
The filter is only applied to one data set, limiting data access for this data set only.
Separating functional and data access (and using authorization links)
The filter is taken into account for both data sets, limiting the data access.
 | System reports available in Authorization provide an overview of authorization per business object/user group. For more information, see System Reports - Authorization. |