The Security Data form is used to create and configure Security Data Roles that either limit or increase a user's access to data in the application. You control data access by adding data restriction items to a role. For example, you can restrict the user’s access to specific facilities, reports, or pay policies. You can also increase data access by adding SUPERVISOR_ADMIN rights to a role.
Security Data Roles are assigned to a single person record via the Employee Setting form, to a Person Group with type Policy or Facility via the Employee Group Setting form, or globally to all users via the System Settings form. Note that an Employee Setting overrides Employee Group Setting, which overrides System Settings. Each user that needs access to the system must be defined on the Employee form.
Note: If you assign a Security Data Role to a user that is currently logged into the application, the user must exit the application and log back in to see the new settings.
See Also:
Security Data Field Descriptions
Role Name – Find, Add, Copy, or Delete
Find/View Security Data Records
Role Name
Identifies the Security Data Role Name.
To lookup, add, delete, or copy a Role Name, click the button next to this field and select Add, Lookup, or Maintain from the pop-up menu. See Role Name – Find, Add, Copy, or Delete.
Item Name
Identifies the security data item.
The items in a Security Data Role can be of type data restriction and/or SUPERVISOR_ADMIN.
Data restriction items limit the data so that only records that are associated with the configured data restriction items display to the user. You configure the restriction by specifying the kind of data that is restricted. Each Security Data Role can have zero (no restriction) or more data restriction items associated with it.
For example, if you select the Item Name CUSTOMER_REPORT_NAME, you can restrict the user’s access to specific reports defined on the Customer Reports form.
The available Item Names are listed in the table below:
Item Name |
Description |
ADHOC_REPORT_NAME |
Determines which Ad Hoc Reports will be available on the Ad-Hoc Reports form to users assigned to this Security Data Role.
|
CUSTOMER_REPORT_NAME |
Determines which of the reports defined on the Customer Reports form will be available to users assigned to this Security Data Role.
|
EXPORT_NAME |
Determines which exports will be available to users assigned to this Security Data Role when the user runs the export via the Exports form. The available Exports are defined on the Export Definition form.
|
FACILITY |
The FACILITY item affects the forms that use a Facility to filter selected persons or their transactions: Authorized Hours, OT Offer, Time Off Review, Current Situation, Time Card Review, Person, and Transaction Status. This item restricts person data so that only persons belonging to a specific Person Group with type FACILITY display to the user. Non-facility employees will not display. IMPORTANT: If a supervisor has the FACILITY data restriction and also has a SUPERVISOR_ADMIN role, the supervisor will be able to see their own employees, no matter what group the employees belong to. This item can also be used to restrict access to charge elements and orders on the Charge Element and Order forms. In addition to the FACILITY data restriction, you must also enable Data Access Rights for the form (set dar_enabled to “1”) and define which charge items are valid for a given facility in the charge_element_group table. See Restrict Access to Charge Elements or Restrict Access to Orders for more information.
|
PAY_GROUP_NAME |
The PAY_GROUP_NAME item affects the Payroll Lock and Exports forms. This item restricts data so that only specific Pay Policies, or persons assigned to these Pay Policies, display to the user. Payroll Lock form: On the Payroll Lock form (Lock by Pay Policy and Lock by Person tabs), the PAY_GROUP_NAME item restricts person data so that only persons that have been assigned to a specific Pay Policy display to the user. Person records that do not have a Pay Policy assigned to them will not display. Exports form: When you use the Exports form to run a payroll export, The PAY_GROUP_NAME item restricts which Pay Policies will display on the form. See Payroll Export Feature for more information. PAYROLL_EXPORT service: The PAY_GROUP_NAME item affects the Pay Groups that can be exported by the person specified in the CREATOR_PERSON_NUM parameter. Make sure the CREATOR_PERSON_NUM has a Security Data Role with the PAY_GROUP_NAME item and that this item includes the Pay Groups listed in the selected Export Definition (Export Parameters tab).
|
PERSON_ASSIGNMENT |
The PERSON_ASSIGNMENT item affects the Assignment tab of the Employee form. You can use this Item Name to restrict the Person Assignments that a user can modify. The available Item Values are the Assignment Types that can be assigned on the Assignment tab of the Employee form. When a user’s Security Data Role includes the PERSON_ASSIGNMENT item, then only the Selected Item Values will display for the user on the Assignment tab of the Employee form.
|
PERSON_SETTING |
The PERSON_SETTING item affects the Setting tab of the Employee form. You can use this Item Name to restrict the Person Settings that a user can add, view, or modify. The available Item Values are those Setting Types that can be assigned at the Person level. When a user’s Security Data Role includes the PERSON_SETTING item, then only the Selected Item Values will display for the user on the Setting tab of the Employee form.
|
PROCESS_INSTANCE_NAME |
Restricts the process names that display to the user in the Service Instance and Service Monitor forms.
|
SENDER_NAME |
The SENDER_NAME item affects the Sender Name filter in the following forms: Charge Element Order Interface In Queue In XML Queue Interface Out Queue Out XML Queue This setting restricts the charge elements, orders, and interface data that can be viewed by a user so that only data with a specific Sender Name will display. Sender Names are defined on the Interface Host form (with Host Type Sender).
|
SUPERVISOR_ADMIN |
The SUPERVISOR_ADMIN item affects the forms that have the Supervision Type filter: Supervisor Review, OT Offer, Supervisor Person, Time Off Review, and the Person Num quick link on the Person Schedule form. This item allows the user to view all employees that belong to a supervision group (Hierarchy Group, DIRECT_MANAGER Group, or SUPERVISOR_MANAGER Group). When the SUPERVISOR_ADMIN item is assigned to a user’s Security Data Role, the user becomes a “super” supervisor and can view all other supervisors’ employees via any form that has a Supervision Type filter. If the user’s Security Data Role includes additional Item Names, then those data restrictions apply as well. Note: Employees can be assigned to a supervision group via the Person Group form (Person Group Type DIRECT_MANAGER or SUPERVISOR_MANAGER) or via the Hierarchy Elements form (Person Group Member tab).
|
TERMINAL_PROFILE_NAME |
This setting limits the Terminals and Terminal Profiles that may display to the user in the Terminal, Terminal Monitor, and Terminal Wizard forms. If a Security Data Role restricts the user from all Terminal Profiles (i.e., the Security Data Role is set to "Exclude All") the user cannot use the Terminal Wizard. If the Security Data Role allows access to certain Terminal Profiles, the user can use the Terminal Wizard to configure those profiles, but cannot add new profiles.
|
TRANSACTION_NAME |
The TRANSACTION _NAME item affects the Transaction Name filter in the following forms: Interface In Queue In XML Queue Interface Out Queue Out XML Queue This setting restricts the interface data that can be viewed by a user so that only data with a specific Transaction Name will display. Transaction Names are defined for a specific Interface Name on the Interface Trans tab of the Interface form.
|
Exclude All Values
If you do not want users assigned to this Security Data Role to have access to any of the Item Values, check the Exclude All Values box. For example, if the Item Name is CUSTOMER_REPORT_NAME and Exclude All Values is checked, then users will not have access to any of the reports on the Customer Reports form. When you check Exclude All Values, the Item Values (Selected and Available) are not visible.
Exclude Values
Use Exclude Values to exclude the selected Item Values from the Security Data Role.
Whether an item is included or excluded depends on whether it is in the Selected or Available column on the Security Data pop-up form, and whether Exclude Values is checked.
If Exclude Values is checked, the Item Values in the Selected column will be excluded from the Security Data Role. The Item Values in the Available column will be included in the Security Data Role.
If Exclude Values is not checked, the Item Values in the Selected column will be included in the Security Data Role. The Item Values in the Available column will be excluded from the Security Data Role.
Exclude Values is helpful if you have numerous Item Values and you only want to exclude a few of them. For example, you may want to give users access to all the PROCESS_INSTANCE_NAME items except for ATTENDANCE. In this case, you would put ATTENDANCE in the Selected column and check Exclude Values.
Item Values
An Item Value identifies the specific record that is included or excluded from the Security Data Role. When you exclude an Item Value, users assigned to this Security Data Role will not have access to those records. For example, if you exclude one or more FACILITIES, then users who are assigned this Security Data Role will not be able to access person records defined for those facilities.
For information on including and excluding Item Values, see Add Security Data Items and Modify a Security Data Item.
Update Date, Updated By
These fields display when the record was created or updated, and the person who created or updated the record.
Add Item
Click this button to add an Item Name to the Security Data Role. When you click Add Item, the Add Security Data form opens.
Modify Item
Click this button to modify an Item Name in the Security Data Role. When you click Modify Item, the Modify Security Data form opens.
Use the button next to the Role Name field on the Security Data form to find, add, copy, or delete a Security Data Role Name.
Click Main Menu > Configuration > Security > Security Data.
Click the button next to the Role Name field.
Select Add, Lookup, or Maintain from the pop-up menu.
To find a Security Data Role Name, select Lookup from the pop-up menu. On the Security Data Role pop-up form, select a Role Name and click Find.
To add a Security Data Role Name, select Add from the pop-up menu. On the Security Data Role pop-up form, enter a Role Name and click Save.
To copy a Security Data Role, select Maintain from the pop-up menu. On the Security Data Role pop-up form, select the Role Name and click Copy. Enter a new Role Name and click Save.
To delete a Security Data Role Name, select Maintain from the pop-up menu. On the Security Data Role pop-up form, select the Role Name and click Delete. Click to close the pop-up form and return to the main Security Data form.
Once you have selected a Data Role Name, the grid section of the Security Data form shows which items are included or excluded from the Security Data Role.
Click Main Menu > Configuration > Security > Security Data.
Select a Security Role Name from the Role Name drop-down menu.
You can also click the button next to the Role Name field and select Lookup from the pop-up menu. On the Security Data Role pop-up form, select a Role Name and click Find.
Once you have selected a Role Name, the grid section of the Security Data form shows which items are included or excluded from the Security Data Role.
Click Main Menu > Configuration > Security > Security Data.
Find the Role Name to which you want to add security data.
Click Add Item. The Add Security Data pop-up form displays. Role Name displays the name of the item you selected in step 2.
Select an Item Name.
If you selected SUPERVISOR_ADMIN, there are no other options to configure. You can click Save or Save and Add to continue.
If you selected one of the data restriction items, you will need to specify which items to include or exclude.
If you do not want users assigned to this Security Data Role to have access to any of the Item Values, check the Exclude All Values box. For example, if the Item Name is CUSTOMER_REPORT_NAME and Exclude All Values is checked, then users will not have access to any of the reports on the Customer Reports form. When you check Exclude All Values, the Item Values (Selected and Available) are not visible.
Use Exclude Values to exclude the selected Item Values from the Security Data Role.
Whether an item is included or excluded depends on whether it is in the Selected or Available column on the Security Data pop-up form, and whether Exclude Values is checked.
If Exclude Values is checked, the Item Values in the Selected column will be excluded from the Security Data Role. The Item Values in the Available column will be included in the Security Data Role.
If Exclude Values is not checked, the Item Values in the Selected column will be included in the Security Data Role. The Item Values in the Available column will be excluded from the Security Data Role.
Exclude Values is helpful if you have numerous Item Values and you only want to exclude a few of them. For example, you may want to give users access to all the PROCESS_INSTANCE_NAMEs except for ATTENDANCE. In this case, you would put ATTENDANCE in the Selected column and check Exclude Values.
When you are done, click Save or Save and Add to return to the main Security Data form.
Click Main Menu > Configuration > Security > Security Data.
Find the Data Role Name.
Select the Item Name for which you want to modify security data.
Click Modify Item. The Modify Security Data pop-up form displays. Data Role Name and Item Name display the names of the items you selected in steps 2 and 3.
Use the Exclude Values, Exclude All Values, Item Name, Selected, and Available fields to specify which item to include or exclude from your data item. Refer to steps 5-7 in Add Security Data Items for information on these fields.
Click Save.
Click Main Menu > Configuration > Security > Security Data.
Find the Data Role Name.
Select the Item Name and click Delete.
Click OK to confirm the action.