Document management - Object access

Hi Carole,

Kindly check below explanation. Hope it will answer your query.

Object Controlled Access

Description

Object controlled access is a concept where another business object can affect the access on a certain document. The functionality is generic in the way that, in theory (please read on below for details), any kind of business object in the system can be configured to control the document access, as long as there is a database method that can be called on the object's main API that is developed for the purpose of returning the access level for the connected document. IFS Applications comes with some predefined configuration if certain components are installed, for projects, invoicing and the B2B contracting workflow. To let other objects control the access, a small customization has to be done for each type of object, such that there is a method that can be called to get the access. The rest can be done through configuration.

How it works

The concept works like this: when the necessary configuration is in place, and when a document is connected to a certain kind of object, a new access line will be added to the document's access definition. If the user making the connection is an administrator of the connected document, the initial access level on the new access line will be given by the configuration in Document Basic/Default Object Access Levels. If the user is not an administrator of the document, then no access will be given through the new access line that is added (all check boxes are cleared). An administrator of the document can later update these levels on the document itself, making the access higher or lower or clearing it completely. The document might have other access definition lines however, that grants access to persons or groups of persons.

When an object that controls the document access is disconnected from the document, the object access line will be removed from the document's access definition. This will also happen if the object type's possibility to control the access is disabled or removed from Document Basic/Object Types for Access Control.

This means that object access lines cannot be manually added to or deleted from the Document Revision/Access/Definition tab. They are inserted and deleted automatically by the system. They can however be updated in the sense that the access levels themselves, on each access line, can be modified by an administrator of the document.

Actual access given from an object

The maximum available document access derived from the object, for a certain document, will be set from the Definition tab. This means that, regardless of what level the object tries to grant the document, from the defined API method, the access level set on the access line on the document will set the maximum limit. For example, if the access granted from the object side is Admin, but the object access line on the document only has View selected, the resulting access from that line will never be higher than View. If the object access line on the document is instead set to grant Admin access, the object can grant this too, if needed. However, if the object does not grant as high access as the access line defines, the user will only get as high access as the object grants. This way, the document administrator always have control over the access, since he can control the access definition.

The following table shows the actual, resulting access for the user, given the access that the object grants (via the API method defined in basic data) and the access defined on the access line itself:

Access granted through more than one object

If a person only receives his or her access through two different objects, then he or she will get the maximum defined access from those objects. For example, if the person has view access through one object and administrator access through the other, the person will receive administrator access to the document.

Standard Object Types Available for Access Control

When installing IFS Document Management, if certain components are available, they will be able to control document access. Here is a list of the objects that can control the access in the standard installation (more can be created through a customization):

• Projects (object types Project, SubProject and Activity) - To control document access through the project a document is connected to, for the members of the project. To define what access each member/team should be granted, for each level in the project, go to Project Info / Project Access / Access Definition
• Work Orders (object type WorkOrder) - Used in the B2B Contracting workflow, where a contractor must be able to access documents connected to a work order he is working on.
• Quotations (object types QuotationLineNopartOrd and QuotationLinePartOrd) - Used in the B2B Contracting workflow. During the quotation phase the contractor can view, add or remove documents.
• Invoices (object types IncomingInvoice and ManSuppInvoice) - The access to the invoice document file connected to the actual invoice in IFS Finance is controlled by the invoice object. The access to the invoice document is based on who has access to the invoice in Finance but also includes rules that can grant a manager access to his employees invoices.
• Human Resources - when setting up document access, if you attach a document to an LU under HR Access Protection, then a record will be automatically generated for the object connection. The record will grant access to users who have proper organizational access. As a result, a person can see only documents of employees to whom they have access.
  The object connection line is generated if a document is attached through a selected set of Logical Units listed below:
  • Organization - Company Person, DisciplinaryAndGrievance, DiscGrievAction, DiscGrievParticipants, EmpAdditionalPay, EmpEmployedTime, EmpJobAssign, EmployeeSalary
  • Career and succession planning - EmpCareerCounseling, EmpCareerPath, EmpCareerPlan, EmpCareerPotentiality, EmpDevelopmentPlan, EmployeeObjective, EmployeeActivity, Emp Performance Appraisal
  • Training and development - CounselingPlan, EducationScholarship, JobRotation, SpecialAssignment, TrainingDevelopment
  • Training Administration - EmpTrainingHistory
  • Time and attendance - Absence plan, Absence request, Absence registration
  •  Strategic HR base - EmpStrength, EmpAreaOfInterest, EmpWeakness, Employee competency
  •  Travel Expense - TravelRequestOption, TravelOptionDetail, ExpenseHeader
  •  Schedules and rules - WorkSchedAssign
  •  Employee Payment - Emp Payment Trans
  •  Benefit - Employee Benefit Plan

Note: Access through these predefined objects can be disabled and enabled but it is not recommended. You should not edit the API or method on these lines since that will result in unsupported behavior.

Best Regards,

Thilini