Configure Data Access in a Multiple Business Unit Environment

This topic provides an example of how you might configure the data access provided by a role in a sales environment where multiple business units are defined.

You can configure the default data security settings for your sales users by creating a custom version of the role users are assigned. Depending on whether you're using access groups or data security policies, you can then edit the custom role, or system access group generated for the custom role, to provide the access to object data you need.

The conditions specified in access group rules or data security policies can use a number of components as mechanisms for sharing data. So one important consideration to keep in mind when configuring users access to data is that users might have access to object records through more than one access path. For example, a user assigned a role that grants access to opportunities based on team and territory can access the opportunity through both access paths independently. If you want to limit this access, you have to remove or modify the access group rules or data security policies that provide access using either path.

For example, in a multiple business unit environment, users from different business units might be assigned to an account team. In this scenario, you might want sales representative on the account team to be able to view only opportunities they created, but not opportunities created by their team members. Here are the steps to use.

Use these steps to restrict users access to opportunities using access groups and rules.

1. Sign in to the sales application as a user who has the IT Security Manager job role.

2. Create a copy of the Sales Representative job role in the Security Console, for example Sales Representative Custom, and assign the role to at least one user.

   A custom access group, Sales Representative Custom Group, is created for the custom role but isn't associated with any predefined access group rules.

   Note: System access groups are generated only for job roles that have at least one user associated to them.

3. Navigate to the Sales and Service Access Management work area Navigator > Tools > Sales and Service Access Management.

   The Access Groups page is displayed listing any existing active access groups.

4. Search for and select the Sales Representative Custom Group generated for the custom role you created in step 2.

5. On the Edit Access Group: Overview page, click the Object Rules tab, then select Opportunity from the Object drop-down list.

6. Click Add Rule.
7. Select the Opportunity Owner rule, click Apply, then click Done.

   This rule provides group members with access to opportunities they own. As you don't want group members to have access to opportunities through access paths other than opportunity ownership, such as through account team membership or territory membership, there's no need to assign any other rules to the group.

8. Click Save and Close.
9. On the Edit Access Group: Object Sharing Rules page, in the Access Level field select the access level for the rule you've just added, then make sure the Enable check box is selected to enable the rule.

10. Click Save and Close to save the changes you made to the access group.

11. Provision the Sales Representative Custom job role instead of the Sales Representative job role to relevant users.

    Users provisioned with the Sales Representative Custom job role are automatically added as members of the Sales Representative Custom Group access group and receive access to only those opportunities they own.

Use these steps to use to restrict users access to opportunities using data security policies.

1. Create a copy of the Sales Representative job role in the Security Console, for example Sales Representative Custom.

2. Edit the new Sales Representative Custom role.
3. Navigate to the Edit Role: Data Security Policies page of the Security Console.

4. Remove any policies defined for the opportunity object that contain conditions that provide opportunity access through access paths other than opportunity ownership, such as through account team membership or territory membership.

   • Team membership. To remove users access to opportunities created by their account team members or members of the territory associated with the account, remove all policies with this condition:

     Access the opportunity for table MOO_OPTY where you are member or in management chain of opportunity account team, account territory team or upward territory hierarchy

   • Territory membership. Remove users access to opportunities they can access through opportunity territory membership.

     Users might have access to opportunities through their membership of the territory associated with the opportunity. For example, user A might be an account team member and also a member of a territory (for example, the NW territory) that isn't assigned to the account. If a second user B, who is not an account team member, creates an opportunity for the account, and the opportunity is assigned to the NW territory, user A gains access to the opportunity record through territory membership. To remove this access, remove all policies that contain this condition:

     Access the opportunity for table MOO_OPTY where they are a territory resource in the opportunity territory team or a territory resource with a descendant territory in the opportunity territory team

5. Save the custom role you created and provision this role to users instead of the Sales Representative job role.

   Users assigned this role only have access to opportunities on the account that they created themselves.

For additional information about access groups, see the Access Groups chapter. For additional information about configuring data security, see the chapter Configure and Troubleshoot Data Security.