Overview of data security

To reduce the risk of fraud and errors, data authorization is enabled for various business processes such as Project, Contract, Requisitions, Procurement, Sales, and Warehousing and entities such as Item and Business Partners. You can define roles for which the authorization level is set for a range of these entities using the associated attributes, which ensure data security.

Benefits of authorization:
  • Improves compliancy by allowing only responsible employees to update the master data.
  • Improves the efficiency of the application by avoiding incorrect data to be used for transaction purpose (such as creating new transactions).
  • Reduces expenses on stock control and administrative costs because less corrections are made.
Business scenarios
  • In order to achieve a profit margin, a global operating customer has assigned designated buyers for items and suppliers. Buyers must ensure that the master data of the assigned suppliers and items is correct. These authorized buyers must, after negotiating the prices and conditions for the assigned items with the suppliers (using Requests for Quotations) specify these in contracts and/or price books.
  • An organisation divides the sales operations into separate sales offices. Each sales office is responsible for a particular line of business or sales area. Employees working for a sales office that is responsible for a particular line of business, are only allowed to sell the items of that line of business.

When authorization objects are authorized as a primary authorization object, only employees with the permission to modify that object can create and maintain the assigned objects. So only an employee who has modify permission for a certain Project can update the master data of that project.

When authorization objects are authorized as a secondary authorization object, only employees with the permission to modify that object can use these secondary authorization objects to create or maintain a primary object. So only an employee with the permission to modify a range of purchase orders and use or modify permission for an item can create purchase orders within the authorized range and use only assigned items on the order lines. However, if a purchase order within the assigned range contains lines with items for which the employee is not authorized, this employee can still view and maintain the order (primary object) but view the secondary object. Employee can only view and use permissions for the assigned items while changing the order line.

Example

An employee is authorized to modify all the purchase orders linked to the assigned purchase office. This employee is also authorized to only use business partner A and B. This employee can:

  • Create purchase orders only for business partners A and B.
  • Approve or release to Warehousing, all the purchase orders of this purchase office, also the purchase orders from business partners other than A and B.
  • View all the purchase orders (main authorization object) of the linked purchase office, also the purchase orders from business partners (secondary authorization object) other than A and B.
  • Modify all the purchase orders of the linked purchase office, also the purchase orders from business partners other than A and B.
  • However when the employee tries to change the business partner of the order:
    • The employee can only view the master data of business partner A and B.
    • The employee can only change the business partner to business partner A and B.