Linking authorization filters to user groups
Authorization filters can be linked to user groups in order to specify the data the user group is authorized to access. Proceed as follows to link an authorization filter to a user group.
Procedure
1. Go to Authorization > Filters selection level.
Here you can add or delete actions, business objects and authorization filters. Action authorization filters are linked to a user group in order to specify the actions (e.g. Read, Save, Delete etc.) that can be performed on the filtered data from the authorization filter.
 | • In the Business objects selection level, the field Is authorized? of a business object must be set to Yes, in order to add an authorization filter on it. • Adding, deleting, updating action filters is subject to security logging. For more information about this topic,see Security logging (Administrator’s Guide). |
2. In the Action authorization selection step, click Add on the action menu.
3. Select the required authorization filter in the Authorization filter field.
4. Select the required action in the Actions field.
5. Select the User group to which you want to link the action filter.
The selected action determines what users are allowed to do with the data (view, modify, copy etc).
For example: a Read filter (action=Cancel) is set on the property business object (property=North). This filter is linked to the Security North user group. This means that the users from the Security North user group are allowed to view but not modify the information from property North. In addition, users belonging to Security North will not be able to view properties from other regions.
| | • It is not possible to link the Add action to an authorization filter, since this action is included as part of the Save action (the Add action is used when the user clicks Save). Therefore, a filter on the Save action suffices. • After you have unlinked an authorization filter from a user group, you need to refresh the cache of the webserver to deactivate the working of the filter. |
 | If no authorization filter has been linked to a user group, then users belonging to that user group will have access to all data from the business objects of the linked function profile. The rights to access this data will then at least be read-only. |
Combining filters
Authorization filters are combined in the following way:
• Authorization filters combined in a single user group. Combining two authorization filters in a single user group is only possible if they are linked to different actions. The result is the sum of both filters: the user gets fewer rights. For example: the filters Region North and Orders worth less than €5000 have been linked to a user group. The members of this user group only see the orders of region North that are worth less than €5000.
• If a user is a member of two user groups, the authorization filters in both user groups are combined and the user gets more rights. For example: a user who is member of the user groups Service Desk North and Service Desk South will be able to view all data of both regions North and South.
Applying authorization to status transitions:
You can also apply authorization to status transitions of various user groups by using Authorization filters. For example, the following table explains what authorization conditions can be set on each status of the Person business object:
Status | Example conditions |
|---|---|
Approved | Approval by field must be filled in with the logged in user(&Person) |
Administratively completed | Costs incl. VAT field must contain a value greater than 0. |
Question to requestor | Question field must contain a value. |
In preparation | Coordinator field must contain a value. |