In the Security Groups application, you can combine security
groups to manage the security infrastructure within or across organizations.
When you combine security groups, the following rules apply:
- You cannot combine the privileges of independent security groups.
- You can combine the privileges of security groups that are not
independent.
- When you combine privileges, the highest privileges prevail. If
a user belongs to multiple security groups that define the same privilege
at different levels, the user has the highest privilege. For example,
security group A has a purchase order limit of $5,000. Security group
B has a purchase order limit of $10,000. A user who is a member of
both security groups has a purchasing limit of $10,000.
- When you combine a security group that has data restrictions,
the restrictions are added to the security profile for the user. This
action can reduce the access rights that were otherwise granted by
the combined security groups.
- Using the Security Controls action in the
Security Groups application or Users application, you can specify
the group for all users, the MAXEVERYONE group.
The MAXEVERYONE group always combines,
even if the group is specified as independent.
Combining security in a multiple site environment
Combining
privileges is useful when you have multiple sites. Typically, you
set up security groups that only define site access. You set up other
security groups to define application privileges, purchasing approval
limits, and so on. For example, your organization has three sites,
site 1, site 2, and site 3. You have a user for whom you created a
security profile that includes site 1 and associated privileges. You
want the user to have the same privileges at site 2, therefore, you
add site 2 to the profile for the user.
You can also define
some security groups as independent, so that when you combine security
groups, a user has a set of privileges at one site and a different
set of privileges at another site.