|
|
|
|
|
Through this activity, you can view access permissions set to all the users of a security group.
Data Level Security: Data Level Security deals with facilitating access permissions different users should have to employee details while ensuring the necessary restrictions and safeguards to prevent indiscriminate user access and manipulation or misuse of sensitive employee information.
Through this activity, you can set access permissions for a user allowing him/her to work with only a restricted set of employee details, which is relevant. The access permissions to employee details are given to a user based on his/her user-role combination and not on an individual basis. Thus the same user can have different access permissions for his/her different login roles, business process chains etc.
Note that an organization can exercise the choice to have data level security permissions or otherwise. You can set access permissions to employee details through this activity only if the choice has been made to have data level security permissions.
User-Role Specific Access Permissions: The login-role specific access permissions implies that for a specific login role, a user should have access permissions to the employee details of only the required set of employees.
For a login user-role-business process chain combination, you can view the following details of the access permissions to employee details set to users associated with a security group:
The type of access permissions set for example, read-only, full control etc.
The rule based on which access permissions have been set.
The employees, either reporting or all for whom the permissions are given.
Level of span of control.
The employment unit.
Department, for example, Human Resources, Marketing etc.
Job code.
The job level range.
Grade set and grade codes.
Work location and business unit.
When you specify values for the details listed above, it achieves the twin purposes of channeling access permissions to the targeted set of employees while at the same time preventing indiscriminate user access to sensitive employee information. For example, if you set the permissions for all employees who are reporting to the selected user for a specific login role-business process chain combination, the user will have access permissions to the employee details of only those reporting employees. Further, you can specify values for the employment unit, department, job level from and to etc., details to reduce the generic nature of access permissions to a more specific and exclusive target set of employees.
Access Permission Type and Level of Span of Control: The access permission type indicates if the permissions given to the user relate only to viewing the employee details or the full permissions to add, edit or delete the information as per need. For example, the same user may have read-only access permissions to all employees in a department for a specific login role and full permissions in the case of all reporting employees for another login role. The degree and type of access permissions are conditioned by the components deployed in the login organization unit and the activities mapped to the login role of the user.
Level of span of control indicates the extent to which the access permissions set to the user should reach, for example, one level, two levels etc., down the administrative hierarchy in the organization.
The system also gives the flexibility to exclude access permissions to view, add or edit one’s own details as well as include or exclude one or more employees from the set of employees for whom permissions are set for the user. Moreover it is also possible to exclude a particular combination of employment unit, work location, department, job, position, grade set-grade, job level and business unit while granting access permissions to the user for other combinations of these entities.
Rule Based Access Permissions: The employee assignment set on which the user should have permissions could also be arrived at by defining a security rule. An example of a simple security rule could be
“User named ‘Margaret’ for her login role as ‘Administrator’ for the Business Process chain ‘Leave’ has permissions on all employees with Job level greater than or equal to 5.”
This rule would give Margaret, permissions to confirm leave (Provided the application security has enabled ‘Confirm Leave’ as a left pane activity for the login role ‘Administrator’) for all leave applications raised by employees with Job Levels greater than 5 defined in all the Employee Information Component-Org. Units, which are interacting with the Security Definition component.
Getting familiar with the pages inside
|
Go to page… |
…to carry out task |
|
|
View Security Group Permissions |
Viewing the details of the permissions set to users of the group |
|
|
Stored Procedure Details |
Viewing the details of the rule based on which permissions were given to the group. |
|
|
View Users of the Group |
Viewing the details of the users associated with the group |
|