This is the second video in a two-part series on Setting Up User Security in Acumatica ERP. In this video, we walk you through creating a testing the security components. If you are not familiar with the security concepts used in the Acumatica security setup, you are encouraged to go to the first video and watch it first. In this video, we will create a user, create a role, and learn how to test our security setup.
First,let’s create a user. On the User Security menu, we select Users. We enter a userID (JoeUser). An email address is a required field, so we enter one. Then we can save the user. As soon as we have created the user, because we have Administrator rights, we can then click the Login As User button to test what if any access the user has even though we have not enrolled him in any roles yet.
When we log in, we find JoeUser has access to a number Financial Reports. This is an error in our security, because if JoeUser can access these reports and isn’t assigned to any role, that means that ALL users have access. The cause of this error is that every role has Not Set rights for these screens. We will fix the problem by adding the reports to the Administrator role.
We log back in with the admin user and to the Access Rights by Role screen. We drill down to the GL Reports and see that the Financial Statements reports are Not Set. We assign Delete rights for the Administrator role.
Next,we are going to grant JoeUser access to all the companies using Company Access roles. In our example company, there are three companies. When you go to the Companies screen, in the Configuration Settings section, there is a field called Access Role. Each company has a role assigned. All users that are members of that role will have access to the data for that company.
We have already created a role for each company. These roles are all identical except the name is different – all of the rights are set to Not Set. Company Access roles should not grant any screen access. Now, we can go the JoeUser’s set up screen and add the company access roles for the three companies.
We are going to create a Screen Access role for JoeUser, who is the company’s purchasing manager. We will create a role named PURCHMGR. We want to provide full access to Joe to the Purchasing module, except we don’t want him to access the Purchasing Configuration screens.
First we go to the User Roles screen, create a role with a name and description. Then, we add JoeUser as a member of the role.
To build the rights for this new role, we go to the Access Rights by Role screen. We enter the name of the role we are defining. Then, we set the Distribution suite to Granted rights. Inside Distribution, we Grant access to the Purchasing module. We set Delete rights to all the screens in the Work Area and Processes sections. We set Granted rights for all the reports. Lastly, we set Revoked to all the screens in the Configuration section.
We log in as JoeUser and check that we have access to all of the Purchasing screens, but none of the configuration screens.
Access Rights by User provides us a view of the security for a particular user. When we are testing our security setup, if we discover that a user has access to a screen they shouldn’t have it may be challenging to find where they are getting the access. Using Access Rights by User, we identify the user we want to review and drill down to the screen of concern. The screen shows us what rights are being calculated by the system, but you can see what roles provided what rights for that user by clicking the View Roles button. Remember, the most permissive right is the winner.
Assess Rights by Screen provides a view of all the rights from all the roles for a particular screen. Looking at this screen and sorting the Access Right column will quickly show you what role is provided the access to the screen in question.
In this video we have discussed setting up access to screens. In an upcoming video, we will cover additional security setup topics.
· Acumatica ERP allows the configuration of each data element on the screen. So you could give a user Delete access rights to a screen, but remove the Release button. This means they could add, change, delete,save, take off hold – do everything to the transaction, except delete.
· Another example would be to give a user full Delete rights to the Stock Item screen where they can create and maintain inventory items but restrict their ability to change the Units of Measure that default from the Item Class.