To set up authorization by roles in 'Function. Connect Authorization by Role' (SES400), define the functions that a role is permitted to use in different companies and divisions.
The authorization by roles set up enables control of authorization by roles for all options (option 1 - 99) and for all function keys.
A role can have different authorizations by roles in different companies and divisions. For example, the role SALESCLERK can have different authorities by roles in company 100 and 200, or different authorization by roles in division AAA and BBB within the same company.
Authorization by roles can be applied directly to programs with panels for user interactions. This only applies if the function only exists in (MNS110).
When authorization by roles are applied directly to programs that inherit authorization by roles, the direct setup overrides the inheritance.
If you want a user or a user group to be restricted to a specific program (not in the menu), you have to specify a connection between a function and this program in (MNS112) and activate the restriction in 'Function. Connect Authorization by Role' (SES400).
Consider this scenario as an example: In (MNS112), the (MMS121) program is connected to the (MMS120) function. In 'Function. Connect Authority by Role' (SES400), a user or user group is restricted to enter the (MMS120) function. As a result, the user cannot enter MMS120 from the menu, and consequently not (MMS121). The user cannot enter (MMS121) from (OIS101). The user cannot enter (MMS121) from (MMS101). The user cannot enter (MMS120) and (MMS121) at all. In conclusion, it does not matter if (MMS121) is connected to (MMS120) or (OIS300) or (MMS100) function or to another function. The user will be denied access to (MMS121) regardless of where (MMS121) is started from.
The least restrictive principle applies if a user is connected to several roles with different authorizations by roles for a certain function.