Creating Role-based Security by Function
Authorities by roles are a new way to control user access rights in the M3 Business Engine v14.
- Which programs is the user authorized to use?
- Which features within a program is the user authorized to use (if authorized to use the program)?
- Roles are introduced to manage large numbers of M3 users regarding authorities by roles.
- Roles define a set of authorizations in M3 Business Engine
- By connecting a role to a user, you grant the set of authorizations that the role defines to the users.
- A user can be connected to several roles at the same time.
- Each connection of user and role can have validity dates to enable temporary authorities by roles, such as vacation replacements.
Functions and Programs
- MNS110 has a list of all the functions and programs available in M3 and security settings can be made only on the functions listed here.
Authorities by Roles – Setup per Role and Function
- In the authorities by roles setup (SES400) you define the functions a role is permitted to use in different companies and divisions.
- The authorities by roles set up enables control of authorities by roles for all options (option 1 – 99) and for all function keys.
Authority required field in MNS110
This field determines the security to be applied for the function based on the following conditions
- Inactivated (0) means that authorization for the function is checked according to the entries made in (SES400). If no entries exist, the function is considered approved.
- Activated (1) means that authorization for the function is checked according to the entries made in (SES400). An entry must exist for the function. If no entries exist, the function is considered disapproved and restricted for the user.
Authorities by User. Display (SES401)
- In the display authorities by user, you can view the result of the authorities by roles setup.
- The authorities by user file contains one record for each combination of program, user, company and division.
- Note that also programs that inherit functional security (see MNS112) are included in the authorities by roles file.
- The authorities by user file is automatically updated when:
- A record is created, changed or deleted in the authority setup (SES400)
- A record is created, changed or deleted in roles per user (MNS410)
- A record is deleted in roles (MNS405)
- System date changes (The authorities by roles are rebuilt, including validity date check, when auto-job SES900 is started).
How to implement M3 security
- We create a list of users in MNS150.
- We create all the roles in MNS405
- We connect the users to appropriate roles in MNS410
- We create entries in SES400 for all roles and functions, here we define the field level access i.e whether this user has access to that particular field or not.
- SES401 is automatically updated by the backend job SES900 and entries are created for each user and function.
How it works
When a user tries to access a particular program the following checks are made.
- MNS110/E panels Auth required field is checked for the program being accessed,
- If it is activated, user is allowed access only if entries are defined in SES401 for that user and program and the level of access is determined by the entries in SES401.
- If it is inactivated, user is allowed access full if there are no entries in SES401, if there are entries in SES401 for that user and program, access is granted according to the definition.