1. Using Advanced Controls
  2. How Access Conditions Work Together

How Access Conditions Work Together

Condition filters have an OR relationship to one another. Each operates independently, so items that seem to be excluded by one can be selected by others.

Although it's not required, it's highly recommended that filters be all-inclusive or all-exclusive to prevent conflicting logic. So if your first condition filter uses the Equals, Contains, or Matches any of condition, each subsequent condition filter should use any of those three conditions. If the first condition filter uses the Does not equal, Does not contain, or Matches none of condition, each subsequent condition filter should use any of those three conditions.

Here are some examples of how condition filters work together:

  • Access-point or entitlement filters may return records in which some paths include the Accounts Payable Supervisor role and other paths include the Accounts Payable Manager role. A condition filter may state Access Point Equals Accounts Payable Supervisor. By itself, that filter would select records including the Supervisor role but exclude records including the Manager role. However, a second filter may state Access Point Equals Accounts Payable Manager. It would select the Manager records that the first filter seemed to exclude, and so model results would include records with both roles.

  • User1 and User2 are assigned the Accounts Receivable Specialist role. But in Manage Data Access for Users, the assignment to User1 is defined as applying only to data appropriate for the Consumer Electronics business unit. The assignment to User2 is defined as applying to the Database Servers business unit. The condition filter Business Unit Contains Consumer Electronics would, on its own, select records involving Accounts Receivable Specialist as it's assigned to User1, and exclude User2. But a second filter, Business Unit Contains Database Servers, would select the assignment to User2, and so the model would return records involving both users.

If you use a negative condition (Does not equal, Does not contain, or Matches none of), take care that condition filters don't return unexpected results.

For example, you may want a model to return only assignments of the Accounts Receivable Specialist role to users working in business units other than Consumer Electronics and Database Servers. You want, therefore, to exclude the assignments to User1 and User2. So you may create the filters Business Unit Does not contain Consumer Electronics and Business Unit Does not contain Database Servers. But this would backfire: records of the Accounts Receivable Specialist assignment to each user would be selected by the filter that doesn't explicitly exclude his business unit.

To achieve the effect you want, you should instead create a filter specifying Business Unit Matches None of Database Servers, Consumer Electronics.

Additional considerations apply to filters that use the data-security conditions:

  • Your inclusion or exclusion of one role may be inherited by a related role.

    For example, a US Accounts Payable Manager role may be both assignable to users on its own, and included in the role hierarchy of a second role, Accounts Payable North America. Manage Data Access to Users may specify that the assignment of US Accounts Payable Manager to some users grants access only to data associated with the Database Server business unit.

    The filter Business Unit Equals Database Server would select records involving not only US Accounts Payable, but also Accounts Payable North America, to those users.

  • Although Manage Data Access for Users defines the data available to a user assigned a role, in some cases other security configuration, such as data security policies, may expand the definition created in Manage Data Access for Users.

    For example, suppose User3 is assigned the Accounts Receivable Manager role. In Manage Data Access for Users, the assignment is restricted to data associated with the business unit called AR Brazil. Suppose User3 is also assigned the Accounts Payable Manager role. In Manage Data Access for Users, the assignment is restricted to data associated with the business unit called AP Italy. Owing to data-security-policy configuration, while in an AR Receipts page, User3 would see data only for AR Brazil, but while in an AP invoice page, User3 would see data for both AR Brazil and AP Italy.