Assigning Users to Groups

You can set access levels and authorizations for individual users or for groups of users.

Group Authorizations

Default groups might already be set up; for example, assigning a user to an existing Purchasing group allows access to purchasing forms. To modify the forms and permissions for existing groups, use the Object Authorization for Group form. To add or delete groups, use the Groups form.

Caution:  Although the system allows you to modify or delete default groups that are provided with your application, doing so may cause future conversion problems while upgrading and other problems. We recommend you copy the records from the default group to a new group name and modify that. Do NOT delete or modify default groups.

Copy Group From Users

Use the Copy Group From User form to copy a certain user's group authorizations when creating a new or updating an existing user. This is a modal form and can only be accessed from the Users form.

User Authorizations

If a user is not assigned to any group, use the Object Authorizations for User form to determine what forms and privileges are available to that user.

How the Authorizations Work Together

Group authorizations allow you to control multiple users with one group. If an authorization is granted in one group and not granted in a second group, the least restrictive authorization is used.

For example:

  • You can create a group COMaint that has EDIT and UPDATE privileges granted on the Customer Orders form. All other privileges on this form are not granted.
  • You can create another group CO that has EXECUTE and READ privileges granted on the Customer Orders form. All other privileges on this form are not granted.
  • Users in the COMaint group, who only have EDIT and UPDATE privileges, cannot open the Customer Orders form. Users in the CO group, who have EXECUTE and READ privileges, can open the Customer Orders form, but cannot make updates to it.
  • "Power" users who are included in both the CO and COMaint groups can open the Customer Orders form and make updates.

Group authorizations work together. If a user is included in a group where a privilege is granted on a certain form, that granted privilege prevails over any "not granted" setting for the same form in other groups assigned to this user. However, any user authorizations set for individuals override group authorizations defined for a form.

At the User Authorizations level (Object Authorizations for User form), privileges are either granted or revoked. There is only one set of privileges per form or per component per user. Therefore, if a privilege is revoked at the User Authorizations level, the same privilege cannot be granted at the Group Authorizations level (Object Authorizations for Group form).

User authorizations cannot have multiple privileges for the same form or same component. If a form or component is revoked at the User Authorization level, that revoke setting is used regardless of any group privileges that you specify.

If privileges are left blank at the user authorization level, the user is assigned the permissions defined at the group level.

User Authorization Report

In the User Authorization Report, user and group authorizations for forms and IDOs are grouped together by user ID. Row authorizations are grouped together by user ID and group name, and are sorted by IDO and group name. Options on the form let you choose the specific forms or IDOs you want to see in the report. You can see and compare all authorizations for a single user in the same section of the report. This makes it easier for you to determine whether a user has multiple permissions set differently for the same form, through different groups to which the user is assigned.

Related topics