Maintain Organisational Unit User Restrictions - SECF0032

Purpose

To record the organisational units for which a user may access related data.

Subsystem

Security

Structure

Two Blocks

Person

Organisational Unit Restriction

Image

 

 

Person

Explanation

This form is accessed from the Maintain System Users form (SECF0021). It is used to limit an individual user's data access to data related to specific organisational units. The Person block displays previously recorded user details. Query functions cannot be performed in this block.

Refer to Security Restrictions and Access to Data for important information.

 

Organisational Unit Restriction

Explanation

The ability of a user to access data is initially determined by the security role(s) granted to the user. That access can then be further refined by the use of security restrictions.

Organisational unit restrictions reduce the set of data to which a user has access in the following ways:

  • no organisational units recorded in this form for a user - user has access to organisational unit related data as specified by their security role(s).
  • organisational units recorded in this form, and for each organisational unit record:
    • no checkboxes set - user has access to organisational unit related data as specified by their security role(s) but is limited to inquiry only for the recorded organisational units.
    • Restricted Select checkbox set and:
      • Update, Insert and Delete checkboxes not set - user has inquiry access only to data related to the recorded organisational units provided that their security role(s) permit such access.
      • Update, Insert and/or Delete checkboxes set - user has inquiry access only to data related to the recorded organisational units plus update, insert and delete privileges for those organisational units with the relevant checkboxes selected, provided that their security role(s) permit such access.
    • Restricted Select checkbox not set and Update/Insert and/or Delete checkboxes set - user has access to organisational unit related data as specified by their security role(s), but is restricted to update, insert and/or delete actions as indicated for each of the recorded organisational units. Note that the record cannot be saved with all three checkboxes set as this would result in no restriction of access.

Users granted access to an organisational unit which is the parent of other organisational units automatically have access to the child (and grandchild etc.) organisational units. If a child organisational unit is also specified as a restriction, this restriction overrides the parent organisational unit inheritance. For example, if restricted select access for a faculty is recorded for a user, the user also inherits restricted select access for any schools recorded as children of the faculty. If one of the schools is also recorded, but with update, insert and delete access specified, the user has restricted select access to the faculty and all schools recorded as children of the faculty, but can update, insert and delete records for that school.

Some institutions are structured such that user data access might be restricted to specific groups of organisational units. To facilitate this, a group of organisational units can be placed under a dummy parent organisational unit by:

  • creating a new organisational unit member type (in ORGF0112). A member type such as COMM-OU (an umbrella organisational unit covering organisational units delivering courses for commercial clients) or GROUP-OU identifies dummy organisational units as such.
  • creating an organisational unit of this member type.
  • making the dummy organisational unit the parent of each of the group member organisational units.

The dummy organisational unit can then be granted to users as an organisational unit restriction, with users automatically inheriting data access for the group members.

Additional information about the operation of user restrictions, and in particular 'certification' of functions for their use, is contained in Security Restrictions and Access to Data.

Example

A user may be granted a role that provides unlimited access to organisational unit related data. If they have no entries under organisational unit restriction, they will still have unlimited access to organisational unit related data.

If the same user is then granted the organisational unit 0106 - School of Economics (an org. unit with no child org. units) as an organisational unit restriction, their ability to change data associated with this organisational unit will be limited to the functions specified by the Update, Insert and Delete checkboxes. The user's access and ability to change data for other organisational units will be unaffected. If the Restricted Select checkbox is selected for 0106 (and this is the only organisational unit recorded in this form), the user will not be able to inquire on any other organisational units except in those forms where org unit security has been specifically overridden.

 

To create an organisational unit restriction for a user using the Maintain Organisational Unit User Restrictions form:

  1. Ensure that the correct user record is displayed in the Person block.
  2. Select the organisational unit for which the user will have restricted access from the list of values in the Organisational Unit field.
  3. Select the Update, Insert and/or Delete checkbox(es) as appropriate.
  4. Select the Restricted Select checkbox if inquiry access is to be restricted to the organisational units recorded here.
  5. Save.

Rules:

  • Restrictions only apply to users with a security role which has the appropriate restriction object registered against it.
  • Selecting an Update, Insert or Delete checkbox enables a user to perform that function for the organisational unit. Deselecting a checkbox will stop a user from being able to perform the function.
  • Selecting a Restricted Select checkbox for any organisational unit restriction record causes the Restricted Select checkboxes for all records to be selected. Inquiry access is then restricted to the organisational units recorded here.
  • Adding restrictions to a user reduces the access inherited from their security role(s). Access cannot be increased beyond that specified by their security role(s). For example, if the role prevents deletion, setting the delete indicator in this form will not allow the user to delete.
  • A record cannot have all three of Update, Insert, Delete, checkboxes set without having Restricted Select set, as this constitutes no restriction of access.

To remove an organisational unit restriction from a user using the Maintain Organisational Unit User Restrictions form:

  1. Ensure that the correct user record is displayed in the Person block.
  2. Select the organisational unit to be deleted.
  3. Delete record.
  4. Save.

 

To modify an organisational unit restriction for a user using the Maintain Organisational Unit User Restrictions form:

 

Rules:

  • The Organisational Unit field is protected against update. To change an incorrect organisational unit, the incorrect organisational unit must be deleted and a new record inserted.

 

Last Modified on 11 March 2002