Function Security
Security at function level is ensured by making an association between a function and a user, and specifying whether or not the combination is allowed. User groups and function groups can be used to simplify the maintenance of the security. The security settings for a function is inherited by programs associated with that function in 'Function. Connect Program' (MNS112).
M3 Business Engine uses authorization by roles to manage security on a functional level. The program used for this is 'Function. Connect Authorization by Role' (SES400).
Security entries made at the company level
Security entries made at the company level (blank division) also apply to any division in that company which has no security entries of its own.
The number of records in 'Authorization by User. Display' (SES401) (CMNPUS) are fewer, especially for companies with many divisions and roles and many combinations of security settings. Also, the load on program SEMNGPER and auto job (SES900) decreases.
- Relationship between company and division
There is a referential link between company and division in M3 Business Engine Security. Security entries made at company level (blank division) will also apply to any division in that company which has no security entries of its own. This can be thought of as the divisions having no need for their own security, therefore adhering to company policy.
- Restricting company and division
Restricting Company and Division with options 11='User permissions to Cmp/Div' and 21='Update User Access all Cmp/Div' in 'User. Open' (MNS150), as described in the earlier section Controlling Access to Companies and Divisions.
Further, if any new company/divisions are created with no restrictions, users can have access to them.
Note: If the new user was created using New, a responsibility is given for all companies and divisions.If the new user was created using Copy (copied from an existing user), only the responsibilities of the existing user are assigned to the new user.
Checking security
When a user requests a function, the security entries specified in 'Authorization by User. Display' (SES401) are searched for a matching combination of user and function by authorization check program (CAUTCHK) to assure full functional coverage.
M3 BE Security uses company-level entries if the requesting user is working at the division level and there are no security entries at division level. Remember the relationship between company and division.
If the search is unsuccessful, M3 Business Engine Security refers back to the authorization required setting in the function definition 'Function. Open' (MNS110). If this is 1, the request is denied; if this is 0, the request is permitted.
Security using authorization by roles
Authorization by roles is a method for controlling user access rights in M3 BE. The role-based authorization decides, for example, what programs the user is authorized to use or what features within a program the user is authorized to use.
The purpose of roles is to manage the authorization for a group of users with a common set of rights. In 'Roles. Open' (MNS405) you can define a set of authorizations in M3 Business Engine. By connecting a role to a user in 'Users. Open' (MNS410), you grant the user the set of authorizations that the role defines.
Role
Roles are used to manage large numbers of M3 users regarding authorization by roles. Roles define a set of authorizations in M3 Business Engine.
By connecting a role to a user, you grant the set of authorizations that the role defines to the user.