How You Secure Person Records by Area of Responsibility
When you secure person records by area of responsibility, you select a scope and a responsibility type. The scope can be either a single value, such as Job or Location, or a supplied pair of values, such as Business unit and department.
This topic explains how these scope values are matched to a user's areas of responsibility to see whether the user can access the person records.
Using a Single Responsibility Scope Value
When you select a single scope value, such as Department or Country, the user's area of responsibility needs to include that scope value. Otherwise, the user can't access relevant person records. Suppose you secure person records using these values:
-
Responsibility type: Human resources representative
-
Scope: Department
A user could have the four areas of responsibility shown in this table for the responsibility type.
Area of Responsibility |
Business Unit |
Department |
---|---|---|
1 |
Vision BU 1 |
Vision Department 1 |
2 |
Vision BU 2 |
None |
3 |
Vision BU 3 |
Vision Department 3 |
4 |
None |
Vision Department 4 |
This user can access person records in:
-
Vision Department 1
-
Vision Department 3
-
Vision Department 4
But the user can't access person records in:
-
Vision BU 1 if they aren't also in Vision Department 1
-
Vision BU 2
-
Vision BU 3 if they aren't also in Vision Department 3
Using Multiple Responsibility Scope Values
You can select a responsibility scope value that's made up of two individual values, such as Country and department or Legal employer and job. When you secure person records using one of these paired values, the user's area of responsibility must include both values. Otherwise, the user can't access relevant person records. Suppose you secure person records using these values:
-
Responsibility Type: Human resources representative
-
Scope: Business unit and department
A user could have the four areas of responsibility shown in this table for the responsibility type.
Area of Responsibility |
Business Unit |
Department |
---|---|---|
1 |
Vision BU 1 |
Vision Department 1 |
2 |
Vision BU 2 |
None |
3 |
Vision BU 3 |
Vision Department 3 |
4 |
None |
Vision Department 4 |
This user can access person records in:
-
Vision BU 1 that also belongs to Vision Department 1
-
Vision BU 3 that also belongs to Vision Department 3
But the user can't access person records in:
-
Vision BU 2
-
Vision Department 4
-
Vision BU 1 if they don't also belong to Vision Department 1 or have no department
-
Vision BU 3 if they don't also belong to Vision Department 3 or have no department
-
Vision Department 1 if they aren't also in Vision BU 1
-
Vision Department 3 if they aren't also in Vision BU 3
The user's area of responsibility could include not only Vision BU 1 and Vision Department 1 but also Vision Location 1. The user can still access the person records because the condition in the person security profile is met. But to enforce all three conditions or secure person records using pairs of values that aren't delivered, you have to create custom criteria. For example, to secure person records using a combination of country, department, and job, you would have to use custom criteria.
To exclude some person records from the records you identify by area of responsibility, you can use an exclusion rule. You don't have to define custom criteria to exclude records.