The security model implemented in WMS incorporates the use of privileges, groups, and users. There is a set of system privileges that can be assigned to groups of users or users. Each user is allowed to log in to their division with the privileges that are individually assigned to the user. In addition, each user that has been assigned to a group will have the same privileges that have been assigned to the group. The privileged-based security model allows the client to develop security around staff roles and responsibilities, including control over the company and division settings. All actions taken within Security Manager are logged to the WMS event log. Users can only log in to a company if they are assigned to at least one division.
The highest level of privileges is the main menu category or module (Desktop, Setup, Purchasing, Scheduling, Tools, etc.). If a user/group is assigned the privilege at the main menu/module level, the user/group has full rights to all menu options, all screens, and all tasks within that menu/module. The example shown below is at the Setup level. By placing a checkmark in the Setup checkbox, all options within the Setup menu are automatically checked as well.
The second level of privileges is by menu/module option, which often is the equivalent of an application screen. Using Setup as an example, the second level of privileges would be Area Setup, Job Setup, Supplier Setup, Trade Setup,User Setup, etc. If a user/group is assigned the privilege at the main menu option/screen level, the user/group has full rights to all tabs and all tasks within that menu option/screen. The example below is at the Area Setup level. By placing a checkmark in the Area Setup checkbox, all tasks within the Area Setup option are automatically checked as well.
The third level of privileges is by task. Using Area Setup as an example, the third level of privileges would be Access to Area Setup (make changes to existing areas), Create Areas, or Delete Areas. If a user/group is assigned the privilege at the task level, the user/group has rights only to the specific tasks assigned. The example below is at the Access to Area Setup level, which only allows the user/group to make changes to existing areas. The user/group is not allowed to create new areas or delete existing areas.
The Security Management tool allows the client to manage groups by assigning specific users, privileges, and reports to each group. Groups are an efficient and organized method of managing multiple roles without having to assign privileges and reports separately to each individual user.
A User may be added to one or more groups. The user will inherit all privileges and reports that have been assigned to the group(s) at the time the user is added. By simply changing privileges for a group, all of the users assigned to the group will inherit those changes automatically.
One or more privileges can be assigned to a group, which automatically assigns the privileges to all members of the group. If a user is assigned to one or more groups, but also needs additional specific individual privileges, the client can assign the individual privilege(s) directly to the user. This is also beneficial if it is necessary to give a specific privilege to a user temporarily and revoke it later.
Reports are organized by module (Purchasing, Scheduling, Sales Pricing). The reports within one or more modules, or one or more individual reports may be assigned to a group. To isolate which reports each group's users will be able to access, specifically assign the group only to the reports the group's users will be working with. Assigning a specific report or a specific module's reports to a group will allow the group to see the report(s) in the reports menu, preview the report(s), and print the report(s). If a user is assigned to one or more groups, but also needs access to additional specific individual reports, the client can assign the individual report(s) directly to the user.
One or more divisions can be assigned to a group, which automatically assigns the privileges to all members of the group. Alternatively, one or more divisions can be assigned to individuals of a group. To isolate the divisions that each group's users will access, assign the group only to the specific division(s) so its users will not have the ability to make changes within another division. Only privileged divisions will be available in the Divisions toolbar, and the remaining unassigned divisions will not be available. In the example below, the group and all of its members have access to all available divisions for the company.
Variance categories are organized by division, and originate from the Accounting Database assigned to each division. For more information on setting up variance categories, see Set Up Job Cost Category Types. One or more variance categories can be assigned to a group, which automatically assigns the privileges to use the variance category to all members of the group. Alternatively, one or more variance categories can be assigned to individuals of a group. To isolate the variance categories that each group's users will access, assign the group only to the specific variance categories authorized for that group. Only privileged variance categories will be available in the purchasing work-flow where a variance category is required, and the remaining unassigned variance categories will not be available. In the example below, the group and all of its members have access to all available variance categories for the division.
When checking to see if a user has access to specific privileges or reports, the system checks the rights in the following order:
First, checks to see if the user is part of a group, and if so, then checks to see if the group is assigned the privilege.
Second, checks to see if the user is assigned the privilege.