A more complex role example

In this article

    Scenario

    We have several subsidiaries, within these subsidiaries we have different user groups. Our associates may see data from the other user groups within their own subsidiary, the company card for the subsidiaries (defined as owner companies in SOAdmin and who own associates) and some other companies that should be global information. But, the different subsidiaries are strictly not allowed to see or edit data owned by associates from their sister companies. How do we accomplish this?

    Possible solution

    This example have subsidiaries in United Kingdom and Germany, the main office is called Role example - central. All these are owner companies, and may own associates.

    First - you'll need different user groups for each subsidiary, and then one user group for the information that should be visible for everyone (Global). We also add to Global XX groups that will be used to give the subsidiary access to the global information.

    You may off course define several roles, in this example we have used two, one for users who should only be able to edit his own data and read all other data for available for the subsidiary. The other for the local administrator, who should also be able to edit all data visible for the subsidiary.

    The users are given all the other local groups as "Other groups", meaning all users from the subsidiary in United Kingdom, get the other United Kingdom user groups as other groups. The role called Global is the same as User level 0, full access to all data.

    Each user get the Primary group for the country, and other group is Global COUNTRY

    Then you need a global user (note: this "user" does not even need login rights, here we use him as a global administrator as well), and this user get all the Global Country user groups as other groups, that way his data will be visible for all who have these Global Country user groups, but the users in Germany and UK will not share any user groups and therefor they will not see each others data.

     

    All data that should be visible for all users should now be "given" to the Global user. For company cards, this means you set the Our contact = Global user

    This data will now be available for all user groups since his data is part of all Global Country groups due to the other groups membership

     

    Now, when logged in as Global, you will see all data in the database.

    And by the Global users Other groups memberships, this users data is now part of the other users primary group.

     

    Overview of the user, groups and roles

    User

    Primary Group

    Other Groups

    Role

    Global

    Global

    GlobalUK, GlobalGermany

    Global

    UK Admin

    UK

    GlobalUK

    Admin

    UK user

    UK

    GlobalUK

    User

    German Admin

    Germany

    GlobalGermany

    Admin

    German user

    Germany

    GlobalGermany

    User

    Note that we do not have just one other group that all users share, since this would mean they all have a user group in common and thus all would see all data (if I can see you, you can see me)

     

    Roles

    Role

    Mine

    Primary

    Other groups

    Other associates

    User

    FULL

    Read

    Read

    None

    Admin

    FULL

    FULL

    Read

    None

    Global

    FULL

    FULL

    FULL

    FULL

     

    In this set up:

    UK user has same primary group as UK Admin – and can as a "user" read UK admin's data.

    UK user has no groups in common as German user – and cannot see German user's data.

    UKAdmin has same primary group as UK user– and as "admin" can edit UK user'sdata.

    UKAdmin has no groups in common with German user– and cannot see German user's data.

    UKAdmin has GlobalUK in common with Global as other group – and as a “Admin” can read Global’s data.

    Global has full access to everyone’s data.