User Master - Restriction
The User Master-Restriction is a table (md_user_domain_rls) in the User Management System (UMS). This table defines parameters that restrict a user's access to rows of data.
- The User Master-Restriction represents a row-level security policy by user that is applied consistently throughout PointForce iTopia regardless of what view is used or how the view is customized.
- The User Master-Restriction uses:
- Database names
- Domain names
- User entered criteria (Values).
- If you are setting up restrictions for Enterprise views, then you should always select the database named 'ibis'.
- What are Domains?
- How do I know which Domains are required for a restriction?
- When defining Restrictions, you can use the Column or Domain views to assist you in selecting the correct Domain(s) and view the tables that the restriction will affect. The Column and Domain views can be accessed by entering md_column or md_domain in the search field and clicking ‘Go’ or through the Metadata Administration menu.
- You can find Domains for specific fields (Client Specific Text) through the Column view and the Domain view by entering text in the Client Specific Text field of either view and initiating the search. When entering Client Specific Text you should consider using wild cards or several iterations of the same text (separating each input by a comma) as there may be variations that point to different Domains.
- The difference between using the Domain or Column view to search for Domains is that the Column view will display the tables that the Domains are associated with for the entered search value(s).
- For example, if you are restricting a user to a specific warehouse(s), you can enter 'whse','warehouse' in the Client Specific Text field of the Column view. When the search results are returned, any Client Specific Text that contains the entries is displayed. Using this method will further guarantee that you will capture all of the Domains required for the Restriction.
-
In the table below, the Domain name 'whse' points to different Client Specific Text that refers to a warehouse field within various tables, however the Domains 'salwar' and 'saht' also point to Client Specific text that refers to a warehouse field:
Table Name |
Column Name |
Client Specific Text |
Domain |
obbh |
whse |
Warehouse |
whse |
icbu |
whse |
Whse |
whse |
icms |
whse |
Whse |
salwar |
saht |
saht_1 |
Whse |
saht |
- When setting the Restrictions you need to create a record for each Domain so that the assigned user obtains the proper restrictions for the Columns across all tables/views.
- The 'Value' that you enter restricts the user to viewing only data that pertains to the value entered. Since we are using Warehouse as our example, you can enter a Warehouse code in the Value field and the user will be restricted to viewing data that pertains to only that Warehouse code.
- Example of a Restriction:
- The user 'janedoe' is set up to access views for the files obbh, icbu, icms and saht.
- Because these files are set up with 3 Domain names for Warehouse, we must set up 3 restrictions (one for each Domain).
- We only want 'janedoe' to be able to access Warehouse 10.
- To achieve this, the User Master-Restriction must be set up with the following 3 restrictions:
|
Restriction 1 |
Restriction 2 |
Restriction 3 |
User |
janedoe |
janedoe |
janedoe |
Database |
ibis |
ibis |
ibis |
Domain |
whse |
salwar |
saht |
Value |
10 |
10 |
10 |
Mandatory Restriction: Even though you can add many restrictions to users, every user must have an ibis_client Domain restriction set up so that the user can only
access data that pertains to your iTopia environment. Even though your site is secure, this is an extra layer of security.
- In order to restrict users to viewing data that pertains to only your iTopia environment for all views, you must enter a Domain Name of 'ibis_client' with the associated Value entered as {session.ibis_client}.
- This restriction relates back to the User Master-Attribute module. In the Attribute module, every user is assigned an Attribute Key that defines the client code that the user can access. The {session.ibis_client} Attribute Key is the one that defines the iTopia environment accessible for each user.
- When you assign {session.ibis_client} as the value for the 'ibis_client' domain, the system refers to the User Master-Attribute module for the user and identifies the Attribute Value that is associated with the {session.ibis_client} Attribute Key. The value indicates the client code that the user has access to, and this client is all that the user can gain access to in PointForce iTopia.
Tip: If your company has multiple companies in PointForce Enterprise and you want to restrict users to a specific company for all views, the Domain Name must be entered as 'compny' and the associated Value is {session.company}.
- This restriction relates back to the User Master-Attribute module. In the User Master-Attribute module, every user is assigned an Attribute Key that defines the companies that the user can access. The {session.company} Attribute Key is the one that defines the companies for each user.
- When you assign {session.company} as the value for the 'compny' domain, the system refers to the User Master-Attribute module for the user and identifies the Attribute Value that is associated with the {session.company} Attribute Key. The value indicates the company or companies that the user has access to and this company (or multiple companies) is all that this user can access in PointForce iTopia.
- When setting up this restriction, ensure that the Attribute Value associated with the Attribute Key {session.company} is NOT an asterisk (*).
The following fields are available on the User Master-Restriction page and are based on the order in which they appear in the grid on the search page:
- User Name - displays the user's name.
- Database Name - displays the database name associated with the restriction.
- Domain Name - displays the domain name associated with the restriction.
- Value - displays the value associated with the restriction. You can double click on this field and edit the value directly on this page. Simply click the check mark to have the edit accepted or click on the 'x' to have the request cancelled.
For information on the functionality of each button on the User Master-Restriction Search Criteria Results/Grid page, click here.
When you click on the View Record Details icon
for a specific record on the User Master-Restriction Search/Criteria Grid page, the User Master-Restriction Detail page opens for that record.
The following information displays on the detail page of the User Master-Restriction:
- In the General (header) section:
- Value - enter a value that restricts the user to the view only the datat that pertains to this value. If you are viewing an existing restriction, this field displays the value entered for the current restriction.
- You can edit this field. When the changes are complete, click Save or Submit to record the update.
- In the User and Date Stamps section:
- Created On - displays the date and time at which the current restriction was created.
- Created By - displays the User ID logged into the system when the current restriction was created.
- Modified On - displays the date and time at which the current restriction was modified.
- Modified By - displays the User ID logged into the system when the current restriction was modified.
- Modification Counter - displays the number of modifications made to the current restriction.
The Related section at the bottom of the page contains links to related resources for the current record. The following links are available:
- User Master
- License
- Role
- Attribute
- Permissions Summary
For information on the functionality of each button on the User Master-Restriction Details page, click here.
|