Securing Accounts Based On Customer Class

Assume the following security requirement exists:

You have two broad groups of accounts:
- Financial services accounts.
- Other accounts.
Users can be classified as have one of the following access rights:
- May access all accounts.
- May only access financial services accounts.
- May only access other accounts.

The following diagram illustrates the access groups and data access roles required to implement these requirements:

The figure illustrates how you can provide secured access using the access group and data access role.

Notice the following about the above:

There are 2 access groups because access to accounts is based on whether the account is considered to be residential or commercial/industrial.
The Big Customers data access role is only linked to the C&I access group.
The Small Customers data access role is only linked to the Residential access group.
The All Customers access role is linked to both the C&I and Residential access groups. Users with this role can therefore access all accounts.