Authorization by roles - Setup per role and function

To set up authorization by roles in 'Function. Connect Authorization by Role' (SES400), define the functions that a role is permitted to use in different companies and divisions.

The authorization by roles set up enables control of authorization by roles for all options (option 1 - 99) and for all function keys.

A role can have different authorizations by roles in different companies and divisions. For example, the role SALESCLERK can have different authorities by roles in company 100 and 200, or different authorization by roles in division AAA and BBB within the same company.

Authorization by roles - Direct

Authorization by roles can be applied directly to programs with panels for user interactions. This only applies if the function only exists in (MNS110).

When authorization by roles are applied directly to programs that inherit authorization by roles, the direct setup overrides the inheritance.

Authorization by roles - Inheritance

If you want a user or a user group to be restricted to a specific program (not in the menu), you have to specify a connection between a function and this program in (MNS112) and activate the restriction in 'Function. Connect Authorization by Role' (SES400).

Consider this scenario as an example: In (MNS112), the (MMS121) program is connected to the (MMS120) function. In 'Function. Connect Authority by Role' (SES400), a user or user group is restricted to enter the (MMS120) function. As a result, the user cannot enter MMS120 from the menu, and consequently not (MMS121). The user cannot enter (MMS121) from (OIS101). The user cannot enter (MMS121) from (MMS101). The user cannot enter (MMS120) and (MMS121) at all. In conclusion, it does not matter if (MMS121) is connected to (MMS120) or (OIS300) or (MMS100) function or to another function. The user will be denied access to (MMS121) regardless of where (MMS121) is started from.

Note: The program will always receive the same restrictions as the function if the program has a connection to a function in (MNS112). If there are different restrictions for the program and for the function, delete the connection in (MNS112) before setting up the restrictions in 'Function. Connect Authority by Role' (SES400) for both the function and the program. For example, if 2='Change' is permitted in (MMS120) but only permits 5='View' in (MMS121), delete this record in (MNS112) before making these settings in 'Function. Connect Authority by Role' (SES400).

Authorization by roles - Least restrictive principle

The least restrictive principle applies if a user is connected to several roles with different authorizations by roles for a certain function.