Combination of security groups
When you add users to multiple security groups, the authorization privileges of the security groups combine except for security groups that are set as independent.
- If you specify that a security group is independent, privileges do not combine with other security groups.
- The privileges of all other security groups are combined.
- When you combine privileges, the highest privileges prevail. If a user belongs to multiple security groups that define the same privilege at different levels, the user has the highest privilege. For example, security group A has a purchase order limit of $5,000. Security group B has a purchase order limit of $10,000. A user who is a member of both security groups has a purchasing limit of $10,000.
- Using the Security Controls action in the Security Groups application or Users application, you can specify the group for all users, the MAXEVERYONE group. The MAXEVERYONE group always combines, even if the group is specified as independent.
Combination rules in a multiple site environment
Combining privileges is useful when you have multiple sites. Typically, you set up security groups that only define site access. You set up other security groups to define application privileges, purchasing approval limits, and so on. For example, your organization has three sites, site 1, site 2, and site 3. You have a user for whom you created a security profile that includes site 1 and associated privileges. You want the user to have the same privileges at site 2, therefore, you add site 2 to the profile for the user.
You can also define some security groups as independent, so that when you combine security groups, a user has a set of privileges at one site and a different set of privileges at another site.
Combination rules for data restrictions
- If a user is a member of multiple groups, and you specify data restrictions on one of those security groups, the user is granted the highest privileges across the security groups. For example, take two security groups: the Managers security group and the Maintenance security group. The user has access to pay rate information in the Managers security group, but does not have access to the information in the Maintenance security group. When the two security groups are combined, the user has access to pay rate information in the Maintenance group.
- When you add a user to a security group that has data restrictions, the restrictions are added
to the security profile for the user. This action can reduce the access rights that were otherwise
granted by the combined security groups. Data restrictions always combine across security groups by
using the OR operator. For example, take two security groups: one security group contains a READONLY
data restriction condition
":orgid [equals character] 'EAGLENA'"
. The second security group contains a READONLY data restriction condition":orgid [equals character] 'EAGLEUK'"
. The restrictions combine to make the object or attribute read only if the ORGID is EAGLENA _OR_ EAGLEUK.
Combination rules for approval limits and tolerances
- The limits and tolerances that you authorize for a security group are at the organizational level. Users inherit authorizations for only those sites to which they have access.
- If there are two different values for the same approval limit, the higher value is applied to the security profile for the user.
- If there are two different values for the same tolerance type, the higher value is applied to the security profile for the user.
- If there are two different values for the same tolerance type, but the security groups that grant the tolerance amount have sites in different organizations, the higher value for sites within the same organization is applied to the security profile for the user.
- If a user has access to two different organizations with different limits and tolerances in each organization, the user inherits the limits and tolerances for each site to which the user has access in each organization.
Combination rules for general ledger components
- If any of the security groups to which a user belongs grants authorization to change all general ledger components or specific general ledger components, the security profile for the user reflects the maximum amount of general ledger component authorization.
- If you do not authorize a security group to change all general components, and you do not authorize individual components for the security group, a user cannot change general ledger components.
- The general ledger component authorizations specified for security groups apply to all of the applications, sites, and organizations for those security groups for the user.
- The general ledger component authorizations specified for an independent security group apply exclusively to the applications, sites, and the organizations associated with that security group.
Combination rules for labor authorization
- All labor in an organization.
- All labor in the same crew as the user.
- All labor in the same person group as the user.
- All labor that the user supervises.
- Only the labor records for the user.
- Individual labor records that are listed in the table window.
Combination rules for site and storeroom authorization
- A user must have access to both a storeroom and the site for the storeroom before the storeroom authorization is added to the security profile for the user.
- The storeroom authorizations specified for all security groups apply to all sites that are specified for the security groups.
- The storeroom authorizations that are specified for an independent security group apply exclusively to the sites associated with that security group.
- If any of the security groups to which a user belongs grants access to all or specific storerooms at a given site, then the security profile for the user reflects the maximum amount of storeroom access.
- You can give a user access to the Users application and Security Groups application, but not grant that user access to any storeroom records. In this scenario, the user can use these applications to authorize access to all storerooms, but cannot add specific storerooms records.