Authorization methodology differences
Users can be assigned to multiple user groups. If a user is linked to two user groups, one with filters and one without filters, the functional/data access is different:
Combining data and functional access | Separating data and functional access |
---|
the access rights of users expands, granting full access/allowing all actions. | Access rights of users is decreased, limiting the access/available actions. |
When using authorization links, and a user is linked to two user groups, one with links and one without links, the functional/data access is different:
Combining data and functional access | Separating data and functional access |
---|
The link is only applied to the data set of the linked user group | The link is applied to the data set of both user groups. |
Examples
The following scenarios will further help understand the authorization methodology differences.
Imagine three users having access to all, or parts of the following data:
Data set Amsterdam |
---|
Total number of orders | Orders > €1000 | Orders < €1000 |
---|
750 | 250 | 500 |
Data set Maastricht |
---|
Total number of orders | Orders > €1000 | Orders < €1000 |
---|
550 | 300 | 250 |
Combining functional and data access:
Each user group has its own function profile and action filter.
Separating functional and data access:
Only a single function profile is required, splitting role (fields, actions, etc.) and data access.
Combining functional and data access (and using authorization links):
The filter is only applied to one data set, limiting data access for this data set only.
Separating functional and data access (and using authorization links):
The filter is taken into account for both data sets, limiting the data access.
| System reports available in Authorization provide an overview of authorization per business object/user group. For more information, see . |