Administering user group permissions

You can administer the permissions that a user group has throughout the Console and Applications Manager applications. You can allow or disallow permissions for an entire module or on a screen-by-screen or function-by-function basis. These permissions apply to all of the users in the user group.

About this task

Note: The user administering the permissions is only able to administer permissions for those action and views that he or she has rights to administer. Therefore, it is suggested that each organization have one single user who administers permissions for his or her own organization.

To set up user group permissions:

Procedure

  1. Log in to the Applications Manager.
  2. Click Applications from the menu bar and then click Application Platform.
  3. From the tree in the application rules side panel, choose Security > Groups. The Groups window displays in the work area.
  4. From the Group Details window, choose the Permissions tab.
  5. Locate the module that you want to add and/or revoke permissions for and choose the Permission button. The Permissions tree for the corresponding module displays.
  6. If you want to allow permissions for an entire module, highlight the module you want to allow permissions for and choose the Grant All icon. To disallow permissions for an entire module, highlight the module and choose the Revoke All icon.

    You can also view the list of users who have permission to access the entity by performing a right-click and choosing the Zoom In icon.

    Note: If you want to revoke permissions to a particular menu for a given user group, you need to revoke all of the permissions for screens that can be selected under the menu option for which you are revoking permissions. For example, if you uncheck the System Management Console and all of its associated screens and functions, users do not see the System Management Console menu option in the Application Console.
  7. If you want to allow permissions on a screen-by-screen or function-by-function basis, expand the application that you want to allow permissions for and highlight the screens that you want to allow and choose the Grant icon. To disallow permissions on a screen-by-screen or function-by-function basis, highlight the screens and choose the Revoke icon.
    Note: The permissions tree displays the pricing screens and functions for both the new and old pricing functionality. If you are using the new pricing functionality, permissions should be assigned to the new pricing functions. If you are using the old pricing functionality, permissions should be assigned to the old pricing screens.
  8. If you are configuring permissions for a group that has access to the Application Console, choose the Cross Application Permission button and expand the Application > Sterling Order Management System Console > Override branch and enable any of the following permissions as needed:
    • The Display Decrypted Primary Payment Attributes permission determines whether sensitive payment information such as credit card name, credit card expiration date, customer account number or primary payment reference is displayed or masked in the Application Console.

      If Sterling Order Management System is configured to encrypt primary payment attributes, and the Display Decrypted Primary Payment Attributes permission is granted, the Application Console determines whether to call the getDecryptedString API to decrypt and display sensitive payment information.

      Note: Encryption and decryption of credit card numbers and stored value card numbers has been deprecated. IBM® recommends that credit card numbers, debit card numbers, and stored value card numbers should not be encrypted. Instead, they should be tokenized and stored securely in an external vault system. As a result, credit card numbers, debit card numbers, and stored value card numbers cannot be viewed in the Application Console.
    • To grant the Application Console the ability to make modifications to documents that are normally not allowed based on the status modification rules you have configured (reference), grant the Override Modification Rules permission. For example, you may not allow regular users to modify the instructions of a released sales order. However, specific users should be able to add instructions on exception conditions. When this permission is granted, the user is able to make the appropriate overriding modifications in the order console.
      Note: To indicate that a particular field can be only be modified through this user group permission, the Sterling Order Management System Console displays this field as editable, with a blue background.
    • To grant the Application Console the ability to view the stack trace error messages, grant the Display Error Details permission.
  9. Choose the Save icon after configuring the permissions.
    Note: If you are configuring permissions for a group that has access to the Application Console, choose the Cross Application Permission button and expand the Application > Sterling Order Management System Console > Override branch. Select Display Sensitive Payment Information if you want the users in this group to be able to see sensitive payment information, such as credit card name, credit card expiration date, customer account number, or primary payment reference in the Application Console. Select Override Modification Rules if you want the permissions that you have configured for this group to override any modification rules that you have configured. Otherwise, leave this box unchecked and the configured modification rules are always applied.
    Note: The user groups provided by default in the Applications Manager are sample user groups and must be used only for reference purposes. On your production environment, you must create new user groups and assign them appropriate resource permissions according to your business needs.