Siebel Security Hardening Guide > Securing Siebel Business Applications >

About Implementing Authorization and Access Control

This topic describes the mechanisms that you can use to restrict access to data and Siebel Business Applications functionality for authenticated users after they have accessed Siebel Business Applications.

Siebel Business Applications use two primary access-control mechanisms to determine the privileges or resources that a user is entitled to within Siebel Business Applications:

• View-level access control. Manages the functions that a user can access.
• Record-level access control. Manages the data items that are visible to each user.

View-Level Access Control

Organizations are generally arranged around functions, with employees being assigned one or more functions. View-level access control determines what parts of a Siebel application a user can access. This access is based on the functions assigned to that user. In Siebel Business Applications, these functions are called responsibilities. Responsibilities define the collection of views to which a user has access. Each user's primary responsibility also controls the user's default screen tab layout and tasks.

You can choose to store users' Siebel responsibilities as roles in a directory attribute instead of in the Siebel database if you are using LDAP, ADSI, or custom security adapters, or if you are using Web SSO authentication.

Record-Level Access Control

Record-level access control assigns permissions to individual data items within an application. This access level allows you to configure a Siebel application so that only authenticated users who need to view particular data records can access that information.

Siebel Business Applications use three types of record-level access: position, organization, and access group. When a particular position, organization, or access group is assigned to a data record, only employees within that position, organization, or access group can view that record.

Adhere to the following general guidelines when authorizing access to views and records:

• Grant privileges to positions and responsibilities rather than to individual named users, and grant necessary privileges only.
• Limit access to the user profiles and position lists.

  For additional information, see Implementing Personal Visibility for the User Profile View.

• Lock accounts after invalid login attempts.

For additional information on view and data access control, see Siebel Security Guide.