Multi-Organization Access Rights

Roles and Privileges Settings

Manage Roles and Privileges

The first step is to define company specific roles and privileged. A user that shall be permitted to create these data needs some basic permissions because the corresponding selections in the menu Manager>Permissions>Role Model are protected via the following privileges which have been added in Agile e6.

Function Menu Selection Required Privilege
Open privilege form to create/manage privileges Privileges
(EDB-ROL-OPEN)
EDB-ROL-PRV-OPN
Check privileges which are not assigned to any role and thus are freely available to every user Free available privileges
(EDB-ROL-FREE-TASK)
EDB-ROL-PRV-FRE-OPN
Open role form to create/manage roles Roles
(EDB-ROL-OPEN-ROLE)
EDB-ROL-OPN
Open job-function form to grant users a specific role Job-Functions
(EDB-ROL-OPEN-POS)
EDB-ROL-JOB-OPN
Open list "Privileges checked in Form" to define which privileges are required for standard operations (query, insert, copy, update, delete) in certain lists and forms.

Privileges checked in Forms
(EDB-ROL-MAS-TSK)

EDB-ROL-MAS-PRV-OPN

The new standard role EDB-ROLE-MNG (Role Manager) has access to these privileges and can thus manage roles, privileges, job functions etc.

In a company, the user that is granted this role is typically a person with a broad understanding of the business processes in the organization - possibly someone working at the management level or, alternativley, the system administrator.

 

Staffing an Organization

Once PDW has been activated, the permissions are defined in a decentralized manner. Managers of an organizational unit staff their organization by assigning the roles to the organization staff members (=job functions). This is done in the sub-list EDB-ORG-POS-CLI-C of the company/department form. Different from the standard Job Function form, the sub-list Staff Members (which is a constraint list for the job functions) is available to all users. So it must be ensured that unprivileged users are not able to change the content of this list for in the worst case an ordinary user could assign and grant himself/herself the role "Organization Manager". To avoid this, individual privileges are provided:

Function Operation Required Privilege
Create/copy Organization staff member "I" and "C" in list
EDB-ORG-POS-CLI-C
EDB-POS-INS
Update organization staff member "U" in list
EDB-ORG-POS-CLI-C
EDB-POS-UPD
(Temporarily) Delete an organization staff member "T" in specific list in list
EDB-ORG-POS-CLI-C
EDB-POS-DEL

The new standard role EDB-ORG-MNG (Organization Manager) has access to these privileges and thus can create, update and delete job functions (team members) in this sub-list. In order to enable the Organization Manager to edit jobs and roles, the access flag on the selection EDB-BAS-SETUP-ADM in the EDB-SETUP menu must be changed from "p" to "a". So an organization manager is able to staff an organizational unit by assigning or removing staff members. An organization manager can even define managers for sub-ordinate organizational units who then can staff the subordinate organizational units themselves. Organizational Managers are normal users. They don't need to be DataView managers.

While these privileges ensure that only organization managers (having the role EDB-ORG-MNG) define staff members, it is additionally required to limit such users to changing the staff members of an organization where they are specifically assigned to as the organization manager. For this reason, all of the privileges listed above need to be additionally limited with a rule. This rule will check if the user that currently tries to insert/copy/update or delete a staff member is really the organization manager for the current organizational unit or one of the higher-level organizational units.

The new standard role EDB-ORGANIZATION-MNG (Organization Manager) has also access to the following existing privileges which enable him/her to create subordinate organizational hierarchies:

Function Operation Required Privilege
Create (subordinate) organization "I" in entity
EDB-ORGANIZATION
EDB-ORG-CRE
Copy organization "C" in entity
EDB-ORGANIZATION
EDB-ORG-CPY
Update organization "U" in entity
EDB-ORGANIZATION
EDB-ORG-UPD
(Temporarily) Delete organization "T" in entity
EDB-ORGANIZATION
EDB-ORG-DEL

 

Create a top-level Organizational Unit

While PDW allows a decentralized management of organization specific permissions, there is one task that needs to be performed by a DataView manager: Creating a top-level organizational unit and assigning the organization manager to it.

Top-level organizational units should be created by DataView managers because for these users PDW is not active. When creating a new top-level organizational unit this organization does not refer to any other organization. If an ordinary user would create a top-level organizational unit, this would automatically be related to the current active organization - which is most likely not intended.
To create a top-level organization the privilege EDB-ORG-CRE is required. This privilege is included in the role EDB-ORGANIZATION-MNG (Organization Manager) which is granted to the DataView manager.