Roles are defined independently of company in 'Roles. Open' (MNS405), and the same roles apply for all companies in the database.
On (MNS405/E), it is possible but not mandatory to automatically create authorization by roles setup records (see SES400), and authorization by users (see 'Authorization by User. Display' (SES401)) for a specific company and division.
Authorization by roles 'Authorization by User. Display' (SES401) will be created for all users connected to the role. Only functions where authorization is required, as defined in 'Function. Open' (MNS110), will be considered and only new combinations will be generated. Existing authorization by roles will not be changed or removed.
If you only want to restrict access in a specific division, or some divisions in a single company, you should deactivate the 'Authorization required' field on (MNS110/E).
In 'Roles per User. Connect' (MNS410), roles per user are defined independently of company with or without validity dates. A user can be connected to several roles at the same time. Each connection of user and role can have validity dates to enable temporary authorization by roles, such as vacation replacements.
In the authorization by roles setup in 'Function. Connect Authorization by Role' (SES400), you define which functions are permitted per role and per company and division.
A role can have different authorization by roles for the same functions in different companies.
Only active records (status 20) create authorization by roles. Direct setup to programs is possible (the function does not need to exist in MNS110).
In the authorization by roles setup details, you define the basic options, related options, and functions keys that will be permitted.
Buttons are provided to select or clear check boxes for all options or function keys before fine-tuning the setup.
If, instead of deleting a function record, you deactivate it to status 10 (SES400/E), then you do not need to select option 2 for the remaining function/role records. They will continue to be activated.
You can monitor records in the authorization by roles table by viewing the result of the setup by 'Authorization by User. Display' (SES401). Although the setup is done by function and role, authorization by roles are created per program and user to gain system performance and to enable special setup per user interaction programs. The authorization by roles table contains one record for each combination of program, user, company, and division.
On (SES401/E), you can view the details for displaying authorization by roles as a result of the authorization by roles setup.
Authorization by roles are valid per user and program, whereas the permission setup in (SES400) is maintained per role and function.
When creating a new role, it can be useful to copy the connected users and to also copy the connected authorization by roles.
'Authorization per User. Re-Create' (SES990) allows you to correct or update CMNPUS in 'Authorization by User. Display' (SES401) according to the entries in MNS110/MNS112/MNS150/MNS151/MNS405/MNS410/SES400.
'Function. Mass Update' (MNS905) can be run to update authorization required in (MNS110) as per the specified selection criteria:
The limited license user type controls what functions are accessible to a user, and how many predefined programs they can run. The default is 10.
To set up a limited licensed user, follow these steps:
When starting a program or API, the authority check first checks if the user is of a limited system license type. If true, a check is made against (SES403) based on the limited system role the user is connected to. If the program is found, the normal authorization checks are carried out. If the program is not found, the user is not allowed to run the program. This is carried out regardless of the authorization parameter in (MNS110).