Authorization by roles - Settings

Settings in (MNS405)

Roles are defined independently of company in 'Roles. Open' (MNS405), and the same roles apply for all companies in the database.

On (MNS405/E), it is possible but not mandatory to automatically create authorization by roles setup records (see SES400), and authorization by users (see 'Authorization by User. Display' (SES401)) for a specific company and division.

Authorization by roles 'Authorization by User. Display' (SES401) will be created for all users connected to the role. Only functions where authorization is required, as defined in 'Function. Open' (MNS110), will be considered and only new combinations will be generated. Existing authorization by roles will not be changed or removed.

Note: If you want to restrict access in all company and divisions for a specific function, we recommend that you activate the 'Authorization required' field on (MNS110/E) for all functions you made entries for in (SES400).

If you only want to restrict access in a specific division, or some divisions in a single company, you should deactivate the 'Authorization required' field on (MNS110/E).

Settings in (MNS410)

In 'Roles per User. Connect' (MNS410), roles per user are defined independently of company with or without validity dates. A user can be connected to several roles at the same time. Each connection of user and role can have validity dates to enable temporary authorization by roles, such as vacation replacements.

Authorization by role in (SES400)

In the authorization by roles setup in 'Function. Connect Authorization by Role' (SES400), you define which functions are permitted per role and per company and division.

Note:  Functions where an authorization check is required must be defined here if they should be accessible to users connected to the current role.

A role can have different authorization by roles for the same functions in different companies.

Only active records (status 20) create authorization by roles. Direct setup to programs is possible (the function does not need to exist in MNS110).

In the authorization by roles setup details, you define the basic options, related options, and functions keys that will be permitted.

Buttons are provided to select or clear check boxes for all options or function keys before fine-tuning the setup.

Note: The status must be set to 20 (Active) to create authorization by roles.
Note: If a function is connected to several roles and you delete one of the function/role records, then you must select option 2='Change' for the remaining function/role records to activate them again.

If, instead of deleting a function record, you deactivate it to status 10 (SES400/E), then you do not need to select option 2 for the remaining function/role records. They will continue to be activated.

Authorization by user in (SES401)

You can monitor records in the authorization by roles table by viewing the result of the setup by 'Authorization by User. Display' (SES401). Although the setup is done by function and role, authorization by roles are created per program and user to gain system performance and to enable special setup per user interaction programs. The authorization by roles table contains one record for each combination of program, user, company, and division.

Note: Programs that inherit functional security are included in the authorization by roles table. The authorization by roles table is automatically updated when:
  • A record is created, changed, or deleted in the authorization setup 'Function. Connect Authorization by Role' (SES400).
  • A record is created, changed, or deleted in 'Roles per User. Connect' (MNS410).
  • A record is deleted in 'Roles. Open' (MNS405).
  • System date changes - The authorities by roles are rebuilt, including the validity date check, when auto job (SES900) is started.

On (SES401/E), you can view the details for displaying authorization by roles as a result of the authorization by roles setup.

Authorization by roles are valid per user and program, whereas the permission setup in (SES400) is maintained per role and function.

Note:  Authorization by roles are updated in a background job (SES900). It can take a while before the authorization by roles are updated.

Creating a new role

When creating a new role, it can be useful to copy the connected users and to also copy the connected authorization by roles.

Recreate authorization per user in (SES990)

'Authorization per User. Re-Create' (SES990) allows you to correct or update CMNPUS in 'Authorization by User. Display' (SES401) according to the entries in MNS110/MNS112/MNS150/MNS151/MNS405/MNS410/SES400.

Note:  This program should be called with auto job (SES900) running. While running 'Authorization per User. Re-Create' (SES990), users may experience accessibility issues with affected programs. We recommend for users to not be given access to the system while (SES990) is running.

Mass update in (MNS905)

'Function. Mass Update' (MNS905) can be run to update authorization required in (MNS110) as per the specified selection criteria:

Restrictions to functions for limited license users

The limited license user type controls what functions are accessible to a user, and how many predefined programs they can run. The default is 10.

To set up a limited licensed user, follow these steps:

  1. Define which user is to be a limited license user type in (MNS150).
  2. Set up a role in (MNS405) to be a limited type.
  3. Connect the limited license type user to the relevant role in (MNS410).
  4. Define the programs to be allowed in (SES403).

When starting a program or API, the authority check first checks if the user is of a limited system license type. If true, a check is made against (SES403) based on the limited system role the user is connected to. If the program is found, the normal authorization checks are carried out. If the program is not found, the user is not allowed to run the program. This is carried out regardless of the authorization parameter in (MNS110).

Limited license user limitations

Related topics