Organization and geography
You can restrict user access to records based on the relationship between individual records and Organization and Geography. The definition of a group in the Security Manager includes the System Organization and System Geography fields in the Data Access section of the General tab.
Most business objects have a field that is named OrgName and a field that is named Geography Name. These fields are in the business object's General section. These fields are automatically supplied by the IBM TRIRIGA Application Platform. Because the platform automatically adds these fields, they do not appear in the Data Modeler. They do appear in the Form Wizard as part of the layout.
The OrgName field can have as its value any Organization record. The GeographyName field can have as its value any Geography record. The Geography hierarchy and the Organization hierarchy can be accessed in the Portfolio menu.
A new record inherits the System Organization and System Geography values of the currently logged in user as default values. For example, if Sam is logged in and has the values ZetaBank and US for these fields in his My Profile record, then most new records he creates have these values by default.
By default, many dependent child records inherit their System Organization and System Geography values from their parent records. For example, a new clause in a real estate contract inherits from the parent contract.
If a record's System Organization field has a value, the value of the field may restrict the users that can access the record. Users can access a record if they are a member of at least one security group that contains a System Organization value that is the same as or higher in the hierarchy than the organization contained in the record's System Organization field.
If a record's System Geography field has a value, the value of the field may restrict the users that can access the record. Users can access a record if they are a member of at least one security group that contains a System Geography value that is the same as or higher in the hierarchy than the geography contained in the record's System Geography field.
Attention: The logged in user's System Organization and System Geography values do not control any access rights. It is the security groups that the user is a member of that control access rights.
It is possible for a record to not have a value for the System Organization or System Geography fields. If a record's System Organization field has no value, the record is treated as though the value is \Organizations. If a record's System Geography field has no value, the record is treated as though the value is \Geography.
The following table summarizes the relationship between a record's System Organization field and a group's System Organization field.
Record System Organization is blank |
Record System Organization is \Organizations |
Record System Organization is NOT blank |
|
---|---|---|---|
Group System Organization is blank |
User in group DOES see record in queries and forms | User in group DOES NOT see record in queries or forms | User in group DOES NOT see record in queries or forms |
Group System Organization is \Organizations |
User in group DOES see record in queries and forms | User in group DOES see record in queries and forms | User in group DOES see record in queries and forms |
Group System Organization is not blank |
User in group DOES see record in queries, but does NOT see record in forms Note: In
UX apps, records shown to users are records in queries
|
User in group DOES NOT see record in queries or forms | User in group DOES see record in queries and forms if the value in the group System Organization is at the same hierarchy level as or at a higher level than the value in the record System Organization |
The following table summarizes the relationship between a record's System Geography field and a group's System Geography field.
Record System Geography is blank |
Record System Geography is \Geography |
Record System Geography is NOT blank |
|
---|---|---|---|
Group System Geography is blank |
User in group DOES see record in queries and forms | User in group DOES NOT see record in queries or forms | User in group DOES NOT see record in queries or forms |
Group System Geography is \Geography |
User in group DOES see record in queries and forms | User in group DOES see record in queries and forms | User in group DOES see record in queries and forms |
Group System Geography is not blank |
User in group DOES see record in queries, but does NOT see record in forms Note: In
UX apps, records shown to users are records in queries
|
User in group DOES NOT see record in queries or forms | User in group DOES see record in queries and forms if the value in the group System Geography is at the same hierarchy level as or at a higher level than the value in the record System Geography |
After you add, update, or delete a System Organization or a System Geography, clear the Security Scope cache in the Administrator Console. For more information about the Administrator Console, see the IBM TRIRIGA Application Platform: Administrator Console User Guide.