Field Access Security

Field security allows you to control user access to a much finer degree than function security.

Field level security uses field groups to control access to individual fields. A field group has two attributes: a description and a default public access level. Fields are attached to a field group. Users are then attached to the field group with an individual access level. Users view the fields 'through' the field group with either the public level of access or their individual level of access. Field groups are always required, even if you are securing only one field. (There is an alternative way of defining access level for fields in some programs which contain many fields. The purpose is then only to simplify the workflow, not to adjust any security settings.)

A field group has a default access level defined in 'Field Group. Open' (SES100).

You can attach individual users or user groups to determine different access levels for the field group in 'Field Group. Connect Authority' (SES010). However, all users outside these attached individuals and groups are still governed by the field groups default access level.

Field level security enables you to restrict users from displaying or changing specific fields in specific display panels. The valid alternatives are:

0 = The field is not displayed.

1 = The field is displayed, but its contents cannot be changed.

2 = The field is displayed and its contents can be changed.

Note: Field security control 3 = the field is mandatory to enter, exists in some programs; for example, 'Req/Distr Order type. Open' (CRS201). This is not a part of the field-level security concept and is not discussed here.

Field level security based on Company/Division

Field groups exist at company level. This allows you to have distinct security policies in different companies. However, you cannot have separate field groups existing at division level. Even if the group was created by a user working at division level, it is considered to belong to the company, not the division. Since field groups have a default public access level, as soon as a field group is created, we automatically have a company-wide default access level in field-level security. This is quite unlike function-level security.

A significant difference between field-level security and function-level security occurs when working at division level. In field-level security, company entries are considered in addition to divisional entries in all cases. Contrast this with function-level security, where the company entries are considered only if there are no divisional entries. In function-level authority, an absence of divisional security implies the division is adhering to company policy; whereas if there were entries at division level, it means the division has established its own security policy, and would never refer to company security; the link to company was broken.

M3 Business Engine checks the field level security by first searching for security settings at division level. If no settings are found there, the search continues at company level.

The steps involved in field-level security

There are four steps required to set up field-level security:

  1. Preparing for field-level security

  2. Defining a field group

  3. Attaching fields to a field group

  4. Attaching users to a field group

In the first step you need to establish two things:

  • The identity of the field as it appears in the database and the identity of the reference field.
  • The field is possible to secure.

This preparatory step is necessary because field-level security is not available for all fields in the M3 Business Engine panels.

Follow these steps

Define whether the field can be secured

  1. Verify that it is possible to secure the field.

  2. Note the field name, the program ID and the panel ID as they appear in the database.

  3. Start 'Field. Display per Program' (SES200), to review the list of fields.

    The B panel lists all fields, panels, field groups and reference fields by program.

  4. Select a suitable sorting order to find the fields to secure.

  5. Select Display for a field to check on the E panel whether it can be secured.

    Note: Do not select the Change option for the field in (SES200/B) to define field security unless absolutely necessary; see below. The purpose of (SES200) is only to display available fields and to which extent they can be secured. The only exception is when you really need to restrict access to a specific field

    The 'Ind - Protect' ('Indicator for protection', PR) and the 'Ind Non-display' ('Indicator for non-display', ND) fields determine whether the field can be secured. If any values are displayed in the 'Indicator - Protect' fields, the field can be protected (access level 1=displayed but not editable). If any values are displayed in the 'Ind Non-display' fields, you are able to hide the field on the panels in the specific program (access level 0= Not displayed). If there are no values for these fields in (SES200/E), the field cannot be secured.

Define a field group

  1. Start 'Field Group. Open' (SES100).

  2. Enter an ID for the field group in the 'Field group' field. Click Create.

  3. On the E panel displayed, enter a description of the field group in the 'Name' field.

  4. Select one of the access levels below in the 'Field selection' field. Press Enter.

    • 0 = Do not display field heading or content.
    • 1 = Display field (heading and content) but changes cannot be made.
    • 2 = Display field (heading and content) and contents can be changed.

Connect fields to a field group

  1. Start 'Field Group. Connect Fields' (SES102). Can also be started by option 11 in (SES100/B).

    The program can also be reached by selecting related option 11 = 'Fields/field group' for the field group in 'Field Group. Open' (SES100/B).

  2. Select the field group and enter the ID of the field to add to the field group. Click Create.

    Note: If you enter the "real" field ID, the security restrictions will only apply to this specific field in the the current program and its panels. If you enter the ID of the reference field instead, the security restrictions will apply to all fields connected to this reference field, not only in the current program.

    As soon as a field is connected to a field group, the field group determines the security settings for the field. Users have the default public access level of their user group until they are connected to the field group.

  3. Add the selected or required groups to the field. Press Enter.

  4. In (SES100/B), select related option 21 = 'Where used' to display in which programs and on which panels the field group and its connected fields appear.

Connect users to field group

  1. Start 'Field Group. Connect Authority' (SES010).

  2. Select a 'blank' division if the field level security for the user should apply throughout the entire company; otherwise select a specific division. Then select a field group and a user or user group. Click Create.

  3. On the E panel, select the field access level in the 'Field selection' field. Press Enter.

Add or modify field level security manually for existing fields in (SES200)

Note: To secure a field in a program that is listed in 'Field. Display per Program' (SES200) but lacks values in the indicator fields ('Ind - Protect' and 'Ind - Non-display'), you need to request this as an enhancement to the program.

  1. Go to panel (SES200/E).

  2. Enter the appropriate indicators, two previously not entered, in the 'Ind - Protect' and the 'Ind - Non-display' fields.

    All field selection indicators (1–40) are available. Normally, indicators 1–20 are reserved for 'Ind - Protect' and indicators 21–40 for 'Ind - Non-display'. It is possible to secure up to 20 fields per panel, but the same indicators can be used for several fields. Note that indicator 45 often is already entered, since it is being used for protection of fields when the Display option is used.

Related topics