Skip to main content

Hello there!

I am currently addressing an issue with our user permission sets.

We have two companies currently registered, and one of our users must have access to both companies and sites.

However, he should only be permitted to view the engineering module from site 2, not site 1.

Please, what is the proper way to adjust his permissions?

Thank you!

Hi ​@MHRDonato,

Permission Sets in IFS are configured at the enterprise (global) level.

This means you cannot define or restrict permission sets per company. All users assigned to a permission set will have access to the functions it provides, regardless of the company context.

However, data-level access can still be controlled at the site or company level through User–per–Site/Company configurations

Likewise, Engineering module in IFS is also global in nature:

It is not company-specific and does not follow site-based segregation.

All users with access to Engineering functionality will see and manage data across all companies and sites, provided their permissions allowed.

 

Regards 

Abdul Rehman 

This is a well-known issue.

The only way to resolve this issue is to create another user account.

Thank you both for your response.

@Abdul Is there any documentation/ information on this data-level access method?

Hi You might want to add your vote to this idea Differentiate permission sets per company for one user | IFS Community

The only way to technically achieve the requested separation is through Oracle Row Level Security (RLS). RLS can be configured to restrict access at the table or view level based on, for example, site.

However, it requires SYSDBA privileges and is not officially supported by IFS.

That said, it is relatively easy to set up and does not require any core code modifications.

I have successfully used it for other modules without issues, but it should be implemented with caution and tested thoroughly before deployment.

Beginning from 25R1 there is new feature: Data Level Access Control. I haven’t checked this yet but it could be possible to do this. If not now maybe in future.

@MHRDonato Although the idea of ​@arwid seems ok, this is nearly a no go in IFS Cloud environment (as you are more or less not allowed to touch the database outside the screens of IFS).

Most likely if you have IFS Cloud on premisse, you might get away with this.

Make sure that you either document what you change or prepare a report that shows the RLS as this might be part of an auditor requirements list.

Reply


Terms & ConditionsCookie settings