Multi-Organization Access Rights

Introduction

  The Multi-Organization Access Rights module is an extension of the Agile e6 role concept. It allows an organization-oriented management and control of access rights for documents or items, especially in the extended enterprise.
Multi-organization environments can be found in companies that need to manage several organizational units (departments, business units etc.). In a multi-organization environment, objects such as items and documents are managed/owned by organizational units. The members of an organizational unit (users) are explicitly granted access to the objects assigned to the organizational unit. However, objects of other organizational units may be used in special cases, too.
 
  In the Multi-Organization Access Rights module users are assigned to organizational units via job functions, a standard entity in the role concept. While every user can play different roles in one or more organizations, a mechanism is provided to activate a single organization in the current session. Based on the current active organization, the user's view on the whole data set is limited to a subset with data relevant for this organization. Certain objects are filtered out depending on the object structure and the view a user has on the organization. Objects are items, documents and folders.
 
 

The following diagramm depicts how the main elements in the Multi-Organization Access Rights module are connected to each other:

   
 

Access Rights

Users are associated with an organizational unit via a job function. Since for every job function a role must be assigned, users can have different access rights within an organizational unit due to the individual privileges defined for a role.

"Granting Access" in the context of the Multi-Organization Access Rights module means to control the visibility of objects. Based on the organizational unit at hand, organization driven working limits the user's view on the whole data set to a subset with data relevant for the organizational unit.
The individual type of access (write, delete, read) is not defined in the Multi-Organization Access Rights module, but through the standard access rights for the corresponding record, respectively privileges associated to the corresponding functions.

   
 

The following diagram of a more complex multi-organization environment depicts the visibility of documents/items for different users:

Since the HR Manager stands at the top of the organizational structure, he/she is granted access to all documents assigned to the organizational units respectively their subordinate organizational units.

The NA Marketing Specialist is a member of the organizational unit NA Marketing and is therefore granted access to documents that are managed/owned by this organizational unit thus enabling the view on the documents D4 and D5.

The Sales Director is a member of the organizational unit Sales and is therefore granted access to documents that are owned by the organizational unit Sales. The Sales Director is enabled to view the documents D1, D2 and D3 as well as the subordinate documents D6, D7, D8 and D9.

 

 

  The view on the data set can vary due to a number of actions that may influence the number of displayed records:
  • extension of item structure
  • deleted item structure links
  • deleted organizational structure links
  • allocation of new organizational units
  • assignment of user/object to another organizational unit
  • change of organizational structure