Siebel Security Guide > About Security for Siebel Business Applications > Siebel Security Architecture >

About Controlling Access to Data

Authorization refers to the privileges or resources that a user is entitled to within Siebel Business Applications. Even among authenticated users, organizations generally want to restrict visibility to operating system data. Siebel Business Applications use two primary access-control mechanisms:

• View-level access control to manage which application functions a user can access.
• Record-level access control to manage which data items are visible to each user.

Access control provides Siebel customers with a unified method of administering access to many content items for many users. For more information, see Configuring Access Control.

View-Level Access Control

Organizations are generally arranged around functions, with employees being assigned one or more functions. View-level access control determines what parts of the Siebel application a user can access, based on the functions assigned to that user. In Siebel Business Applications, these functions are called responsibilities.

Responsibilities define the collection of views to which a user has access. An employee assigned to one responsibility might not have access to parts of the Siebel Business Applications associated with another set of responsibilities. For example, typically a system administrator has the ability to view and manage user profiles, while other employees do not have this ability. Each user's primary responsibility also controls the user's default screen tab layout and tasks.

Record-Level Access Control

Record-level access control assigns permissions to individual data items within an application. This allows Siebel customers to authorize only those authenticated users who need to view particular data records to access that information.

Siebel Business Applications use three types of record-level access: position, organization, and access group. When a particular position, organization, or access group is assigned to a data record, only employees who have been assigned that position, organization, or access group can view that record.

• A position represents a place in the organizational structure, much like a job title. Typically, a single employee occupies a position; however, it is possible for multiple employees to share a position. Position access allows you to classify users so that the hierarchy between them can be used for access to data.

  For example, a supervisor would have access to much of the data that a subordinate has access to; the same applies to others who report to the same manager.

• Similarly, an organization, such as a branch of an agency or a division of a company, is a grouping of positions that map to the physical hierarchy of a company. Those employees assigned to a position within a certain organization are granted access to the data that has been assigned to that organization. Visibility to data can be set up to restrict employees from accessing data outside their own organization.
• An access group is a less-structured collection of users or group of users, such as a task force. Groups can be based on some common attribute of users, or created for a specific purpose, pulling together users from across different organizations and granting them access to the same data.