Question

Security based on data per Company/Site?


Userlevel 4
Badge +8
  • Sidekick (Customer)
  • 19 replies

We have 1 company that has 3 sites, 2 of the sites are manufacturing locations (site 2100 and 2200) and one is for R&D (site 2300).  We want to limit the folks in R&D to only be able to view the data for the 2 manufacturing sites (2100 and 2200), but have full access to the R&D site (2300).  The data that we need to limit is the Inventory Part, Recipe and Routing.  I know one solution is to give them 2 different logins and set security to limit what they can/can’t do with permission sets and site assignment.  This takes extra user logins (licenses) that I would rather not have to do.  Is there any other way to do this?


19 replies

Userlevel 1
Badge +1

Dear all!

We have a large project in Germany with a similar issue and would kindly ask for urgent support.

Requirement: Sales Users from different sales offices across Europe shall see the stock inventory at the German site (German site = Head office & main warehouse / main production site). At the same time all other user permissions for all sales users outside Germany need to remain limited to their home company/sites.

Has anyone implemented a solution with two different logins as mentioned above? We’d be highly interested in a knowlegde exchange.

We did a lot of research on permissions but haven’t found any practicable solution for our customer’s requirement so far. Does anyone know someone from RnD, Product Management, like a high caliber manager, being able to help? 

Thanks anyone for urgent support!

Best regards,

Stefan

If the requirement only is to see stock levels for parts in other sites you might create custom field(s) for that which bypasses the site security. You can create multiline fields with data from several sites.

If needed, you can add your own security logic to limit which sites the users can see if they shall not see quantity from all sites. Use for example your permission set names to check if the user has access or not.

You can also create Quick Reports of course.

I know this solution might not solve everyone's problem in this thread but if the data you want to see from other sites are limited to only a couple of things it maybe helps.

 

 

Hi Thomas,

Thank you very much for your comment. Our customer is from a high tech industry and desires a professional solution for this key requirement.

Indeed, custom fields would be an technical approach. We believe with 300+ users in implementation phase 1 only, and a number of similar use cases with user permissions overlapping company/sites, this is not practical for our customer. (and presumably not wanted).

Who could help me raising management attention for this requirement getting this patched directly in IFS Standard?

→ Please kindly allow me to add a stregical thought: In my opinion company/site-overlapping permissions is a fundamental requirement from any company with multiple locations. Therefore I’d fear this functional gap could have the potential for prospects with enterprise size not considering IFS. 

Thank you for your support again and kind regards,

Stefan

 

We also require this functionality. This seems like something that should be offered as a basic option out of the box.  The use case of a user requiring the ability to see stock in all sites, but only move stock in one site seems very common and straight forward. 

Appreciate the expert’s work-arounds. Unfortunately, none of these will work in our situation. Is this on IFS’s radar as a real customer need? Did you find additional solutions @Community.ifs.com/ideas or others in this thread experiencing the same issue?

Userlevel 7
Badge +18

Hi Thushitha A. Chandrasiri!

Is there any documentation with details for implementation?

Thank you and kind regards,

Stefan

Hi Stefan,

 

Sorry that I have not implemented that solution, so have no any documentation. I suggested that based on the custom event functionality in IFS

Thank you and Best Regards

Thushitha

Userlevel 7
Badge +20

@KasunBalasooriya

I always thought permissions was effectively

  • here are the things you can do/see
  • here are the companies/sites you can do them for

I wasn’t aware you could split permissions by site so User is able to issue material for shop orders on site 1 but only able to view shop orders on site 2?

 

Linda

HI Linda,

I stand corrected. Yes you are right.  From a Foundation1 and Technology perspective, it is not possible to restrict data or only show partial data by site, company, etc.  Sorry about the confusion. 

Userlevel 4
Badge +9

Hi,

We have exactly the same requirement. I assume most customers using a single global instance have the reality of many companies and sites with complex organisational structures. A practical and pragmatic approach is having different user rights per site and/or company for one employee. 

The only way to manage this technically is having at least two or even several users per employee, according to his job description and responsibilities in his default company/site and other companies / sites.

This is an old requirement, and IFS Rnd is fully aware of this limitation for a long time.

Having different users for different companies might even be an advantage in modules other than Finance and HR.

Users in Finance and HR select a company to work in, which needs to be switched intentionally on demand. That means, the user does not get a mix of data from different companies.

Users in Supply Chain modules, that have granted several companies / sites, need to be fully aware that a simple query might bring data from different companies / sites. Therefore, some of our employees with different responsibilities in different companies / sites prefer to have different users for the different dedicated companies / sites.

From this perspective, the discussed solution is a workaround for the requirement described.  For sure it is not compatible with many other things like “single sign on”.

From a legal perspective, it should be pretty simple to have a definition like “One employee requires one license, but can be assigned multiple users in the application (based on the workaround solution). 

Johannes.

Userlevel 7
Badge +18

Hi @jrauh ,

 

Since this is not possible in a global way through permissions, you can use custom events to restrict access to specific users, so that the events will prevent those users by performing specific operations or creating/changing records in specific sites. I know that it is not possible to do for every actions on every logical units since it requires so may events, but at least we can restrict business critical actions. And I think, if we can create the events and event actions in an organized way, it can be made more efficient. We may need one or two custom pages to define some basic data (sites and users relationship which should be restricted etc..)

Userlevel 6
Badge +13

@KasunBalasooriya 

I always thought permissions was effectively

  • here are the things you can do/see
  • here are the companies/sites you can do them for

I wasn’t aware you could split permissions by site so User is able to issue material for shop orders on site 1 but only able to view shop orders on site 2?

 

Linda

Userlevel 4
Badge +8

I have 1 company (201) and 3 sites (2100, 2200, 2300) under the company.  The R&D folks should only be able to change/add/delete data from site 2300 (R&D site), but will need to see the data in 2100 & 2200 (MFG sites).   The R&D Site does not have the information that is currently in our MFG sites (this is data is maintained by a different group in the organization).  I know I can do it with 2 users per person, but this is a hit on my licensing, which I would prefer to avoid.  

Userlevel 4
Badge +9

We experience the same issue in our company. Definitely following this thread.

Userlevel 6
Badge +15

Yeah, we have the same issue - we begrudgingly have to use two licenses for certain users

Userlevel 1
Badge +1

@CallumW  I noticed you have some pretty good solutions all over these boards. Did you ever figure anything out on this aside from the double license by chance? Or did you actually roll with that as your permanent solution? I figured it was worth asking now that it’s a year later.

Thanks.

 

Hi Bridget! We’re evaluating a technical approach called Row-Level-Security (RLS) on our project, which has up- and downsides and technical limits. Please feel free contacting me for more information & contact details of our specialists. This evaluation takes an enormous amount of time. We’re reaching limits and the final result is not available yet. Again, for the efforts I’m recommending an out-of-the box solution on the core instead - available for everyone. Let’s hope for the best. Thx. Stefan

Userlevel 1
Badge +1

Dear all!

We have a large project in Germany with a similar issue and would kindly ask for urgent support.

Requirement: Sales Users from different sales offices across Europe shall see the stock inventory at the German site (German site = Head office & main warehouse / main production site). At the same time all other user permissions for all sales users outside Germany need to remain limited to their home company/sites.

Has anyone implemented a solution with two different logins as mentioned above? We’d be highly interested in a knowlegde exchange.

We did a lot of research on permissions but haven’t found any practicable solution for our customer’s requirement so far. Does anyone know someone from RnD, Product Management, like a high caliber manager, being able to help? 

Thanks anyone for urgent support!

Best regards,

Stefan

Userlevel 7
Badge +20

Hi @jrauh ,

Can you please explain why you would need 2 different logins for each user? I’m assuming you have setup the company using the IFS company set-up and then set-up the sites under that company.

If this is how you have set up the application, you should be able to grant the sites to the users and then handle the window access through permission sets like you have already noted.  

Userlevel 1
Badge +1

Hi Thushitha A. Chandrasiri!

Is there any documentation with details for implementation?

Thank you and kind regards,

Stefan

Userlevel 5
Badge +15

For DB authentication only IFS licence is affected but when we want to user Azure AD authentication with MFA it causes many problems with two account for the same user. Also Custom Objects/Event are not suitable for range area of application access.

 

There is no pretty good solution. For previous version of IFS9 we made BP customization to met this requirement but for IFS10 Aurena Framework is outside of this.

Userlevel 7
Badge +18

Dear all!

We have a large project in Germany with a similar issue and would kindly ask for urgent support.

Requirement: Sales Users from different sales offices across Europe shall see the stock inventory at the German site (German site = Head office & main warehouse / main production site). At the same time all other user permissions for all sales users outside Germany need to remain limited to their home company/sites.

Has anyone implemented a solution with two different logins as mentioned above? We’d be highly interested in a knowlegde exchange.

We did a lot of research on permissions but haven’t found any practicable solution for our customer’s requirement so far. Does anyone know someone from RnD, Product Management, like a high caliber manager, being able to help? 

Thanks anyone for urgent support!

Best regards,

Stefan

If the requirement only is to see stock levels for parts in other sites you might create custom field(s) for that which bypasses the site security. You can create multiline fields with data from several sites.

If needed, you can add your own security logic to limit which sites the users can see if they shall not see quantity from all sites. Use for example your permission set names to check if the user has access or not.

You can also create Quick Reports of course.

I know this solution might not solve everyone's problem in this thread but if the data you want to see from other sites are limited to only a couple of things it maybe helps.

 

 

Userlevel 1
Badge +5

Dear Community,

please see and vote this idea:

Different data rights over different companies | IFS Community

 

BR

@CallumW  I noticed you have some pretty good solutions all over these boards. Did you ever figure anything out on this aside from the double license by chance? Or did you actually roll with that as your permanent solution? I figured it was worth asking now that it’s a year later.

Thanks.

@Community.ifs.com/ideas  I don’t believe we’re quite ready for such an undertaking related to the function at this time. I may reach out in the future though and see how things are going, appreciate the offer. If we had an out-of-the-box solution, we’d implement it today so the need is definitely there. The time and resources are not at the moment for a massive undertaking, unfortunately. Thanks for leading the charge, Stefan! 

Reply