Question

Security based on data per Company/Site?


Userlevel 2
Badge +7

We have 1 company that has 3 sites, 2 of the sites are manufacturing locations (site 2100 and 2200) and one is for R&D (site 2300).  We want to limit the folks in R&D to only be able to view the data for the 2 manufacturing sites (2100 and 2200), but have full access to the R&D site (2300).  The data that we need to limit is the Inventory Part, Recipe and Routing.  I know one solution is to give them 2 different logins and set security to limit what they can/can’t do with permission sets and site assignment.  This takes extra user logins (licenses) that I would rather not have to do.  Is there any other way to do this?


16 replies

Userlevel 6
Badge +13

Hi @jrauh ,

Can you please explain why you would need 2 different logins for each user? I’m assuming you have setup the company using the IFS company set-up and then set-up the sites under that company.

If this is how you have set up the application, you should be able to grant the sites to the users and then handle the window access through permission sets like you have already noted.  

Userlevel 5
Badge +10

@KasunBalasooriya 

I always thought permissions was effectively

  • here are the things you can do/see
  • here are the companies/sites you can do them for

I wasn’t aware you could split permissions by site so User is able to issue material for shop orders on site 1 but only able to view shop orders on site 2?

 

Linda

Userlevel 2
Badge +7

I have 1 company (201) and 3 sites (2100, 2200, 2300) under the company.  The R&D folks should only be able to change/add/delete data from site 2300 (R&D site), but will need to see the data in 2100 & 2200 (MFG sites).   The R&D Site does not have the information that is currently in our MFG sites (this is data is maintained by a different group in the organization).  I know I can do it with 2 users per person, but this is a hit on my licensing, which I would prefer to avoid.  

Userlevel 4
Badge +7

We experience the same issue in our company. Definitely following this thread.

Userlevel 6
Badge +13

@KasunBalasooriya

I always thought permissions was effectively

  • here are the things you can do/see
  • here are the companies/sites you can do them for

I wasn’t aware you could split permissions by site so User is able to issue material for shop orders on site 1 but only able to view shop orders on site 2?

 

Linda

HI Linda,

I stand corrected. Yes you are right.  From a Foundation1 and Technology perspective, it is not possible to restrict data or only show partial data by site, company, etc.  Sorry about the confusion. 

Userlevel 5
Badge +12

Yeah, we have the same issue - we begrudgingly have to use two licenses for certain users

Badge

Dear all!

We have a large project in Germany with a similar issue and would kindly ask for urgent support.

Requirement: Sales Users from different sales offices across Europe shall see the stock inventory at the German site (German site = Head office & main warehouse / main production site). At the same time all other user permissions for all sales users outside Germany need to remain limited to their home company/sites.

Has anyone implemented a solution with two different logins as mentioned above? We’d be highly interested in a knowlegde exchange.

We did a lot of research on permissions but haven’t found any practicable solution for our customer’s requirement so far. Does anyone know someone from RnD, Product Management, like a high caliber manager, being able to help? 

Thanks anyone for urgent support!

Best regards,

Stefan

Userlevel 6
Badge +13

Hi @jrauh ,

 

Since this is not possible in a global way through permissions, you can use custom events to restrict access to specific users, so that the events will prevent those users by performing specific operations or creating/changing records in specific sites. I know that it is not possible to do for every actions on every logical units since it requires so may events, but at least we can restrict business critical actions. And I think, if we can create the events and event actions in an organized way, it can be made more efficient. We may need one or two custom pages to define some basic data (sites and users relationship which should be restricted etc..)

Badge

Hi Thushitha A. Chandrasiri!

Is there any documentation with details for implementation?

Thank you and kind regards,

Stefan

Userlevel 6
Badge +13

Hi Thushitha A. Chandrasiri!

Is there any documentation with details for implementation?

Thank you and kind regards,

Stefan

Hi Stefan,

 

Sorry that I have not implemented that solution, so have no any documentation. I suggested that based on the custom event functionality in IFS

Thank you and Best Regards

Thushitha

Userlevel 3
Badge +6

Hi,

We have exactly the same requirement. I assume most customers using a single global instance have the reality of many companies and sites with complex organisational structures. A practical and pragmatic approach is having different user rights per site and/or company for one employee. 

The only way to manage this technically is having at least two or even several users per employee, according to his job description and responsibilities in his default company/site and other companies / sites.

This is an old requirement, and IFS Rnd is fully aware of this limitation for a long time.

Having different users for different companies might even be an advantage in modules other than Finance and HR.

Users in Finance and HR select a company to work in, which needs to be switched intentionally on demand. That means, the user does not get a mix of data from different companies.

Users in Supply Chain modules, that have granted several companies / sites, need to be fully aware that a simple query might bring data from different companies / sites. Therefore, some of our employees with different responsibilities in different companies / sites prefer to have different users for the different dedicated companies / sites.

From this perspective, the discussed solution is a workaround for the requirement described.  For sure it is not compatible with many other things like “single sign on”.

From a legal perspective, it should be pretty simple to have a definition like “One employee requires one license, but can be assigned multiple users in the application (based on the workaround solution). 

Johannes.

Userlevel 5
Badge +11

Dear all!

We have a large project in Germany with a similar issue and would kindly ask for urgent support.

Requirement: Sales Users from different sales offices across Europe shall see the stock inventory at the German site (German site = Head office & main warehouse / main production site). At the same time all other user permissions for all sales users outside Germany need to remain limited to their home company/sites.

Has anyone implemented a solution with two different logins as mentioned above? We’d be highly interested in a knowlegde exchange.

We did a lot of research on permissions but haven’t found any practicable solution for our customer’s requirement so far. Does anyone know someone from RnD, Product Management, like a high caliber manager, being able to help? 

Thanks anyone for urgent support!

Best regards,

Stefan

If the requirement only is to see stock levels for parts in other sites you might create custom field(s) for that which bypasses the site security. You can create multiline fields with data from several sites.

If needed, you can add your own security logic to limit which sites the users can see if they shall not see quantity from all sites. Use for example your permission set names to check if the user has access or not.

You can also create Quick Reports of course.

I know this solution might not solve everyone's problem in this thread but if the data you want to see from other sites are limited to only a couple of things it maybe helps.

 

 

Badge

Dear all!

We have a large project in Germany with a similar issue and would kindly ask for urgent support.

Requirement: Sales Users from different sales offices across Europe shall see the stock inventory at the German site (German site = Head office & main warehouse / main production site). At the same time all other user permissions for all sales users outside Germany need to remain limited to their home company/sites.

Has anyone implemented a solution with two different logins as mentioned above? We’d be highly interested in a knowlegde exchange.

We did a lot of research on permissions but haven’t found any practicable solution for our customer’s requirement so far. Does anyone know someone from RnD, Product Management, like a high caliber manager, being able to help? 

Thanks anyone for urgent support!

Best regards,

Stefan

If the requirement only is to see stock levels for parts in other sites you might create custom field(s) for that which bypasses the site security. You can create multiline fields with data from several sites.

If needed, you can add your own security logic to limit which sites the users can see if they shall not see quantity from all sites. Use for example your permission set names to check if the user has access or not.

You can also create Quick Reports of course.

I know this solution might not solve everyone's problem in this thread but if the data you want to see from other sites are limited to only a couple of things it maybe helps.

 

 

Hi Thomas,

Thank you very much for your comment. Our customer is from a high tech industry and desires a professional solution for this key requirement.

Indeed, custom fields would be an technical approach. We believe with 300+ users in implementation phase 1 only, and a number of similar use cases with user permissions overlapping company/sites, this is not practical for our customer. (and presumably not wanted).

Who could help me raising management attention for this requirement getting this patched directly in IFS Standard?

→ Please kindly allow me to add a stregical thought: In my opinion company/site-overlapping permissions is a fundamental requirement from any company with multiple locations. Therefore I’d fear this functional gap could have the potential for prospects with enterprise size not considering IFS. 

Thank you for your support again and kind regards,

Stefan

 

We also require this functionality. This seems like something that should be offered as a basic option out of the box.  The use case of a user requiring the ability to see stock in all sites, but only move stock in one site seems very common and straight forward. 

Appreciate the expert’s work-arounds. Unfortunately, none of these will work in our situation. Is this on IFS’s radar as a real customer need? Did you find additional solutions @Community.ifs.com/ideas or others in this thread experiencing the same issue?

@CallumW  I noticed you have some pretty good solutions all over these boards. Did you ever figure anything out on this aside from the double license by chance? Or did you actually roll with that as your permanent solution? I figured it was worth asking now that it’s a year later.

Thanks.

Badge

@CallumW  I noticed you have some pretty good solutions all over these boards. Did you ever figure anything out on this aside from the double license by chance? Or did you actually roll with that as your permanent solution? I figured it was worth asking now that it’s a year later.

Thanks.

 

Hi Bridget! We’re evaluating a technical approach called Row-Level-Security (RLS) on our project, which has up- and downsides and technical limits. Please feel free contacting me for more information & contact details of our specialists. This evaluation takes an enormous amount of time. We’re reaching limits and the final result is not available yet. Again, for the efforts I’m recommending an out-of-the box solution on the core instead - available for everyone. Let’s hope for the best. Thx. Stefan

Reply