Overview of Security and Access Profiles

Note: Administrator permissions are required to work with security and access profiles forms.

For information about security and access profiles, click the following links or use the scroll bar to scan the page.

Profile Descriptions	Hierarchy Security Example
Profile Assignments for User Login Accounts	Default Entity-Dependent Security Profile Functionality
Security Information Work Flow

Profile Descriptions

Profiles define what information in the software a user is permitted to access. The level of authorization depends on the software capabilities a user needs to view or edit authorized data. Security is set up at the Essential module-level and at the entity-level with the following profiles:

General Security profile—determines what authorization level (read, update, add, delete) a user has to entity-independent security objects (typically forms and reports) and elements (form sections and fields) for a module.
Entity-Dependent Security profile—determines what authorization level a user has to entity-dependent security objects and elements for a module.

Tip: The minimum level of authorization, i.e., Read permissions, must be granted to a security object or element in order for it to be available to a user. For example, if no permissions are granted for the Entity Compliance Owner security object, the field will not be displayed on the Enterprise Entity form. If no permissions have been assigned to the Materials object, a link to the Material form will not appear in the Navigation Tree. When all of the objects in one of the folders in the Navigation Tree are not granted permissions, the entire folder will not be displayed.

Entity Access profile—identifies which entities a user can access.
Hierarchy Security profile—defines the authorization level a user has to entity-dependent security objects and elements at each entity that can be accessed. For example, a user can be assigned Full Access authorization at Entity A and Read Only permissions at Entity B. (See Hierarchy Security Example.) The default authorization level specified is assigned to new entities and used to identify available entity-dependent security objects and elements.

Profile Assignments for User Login Accounts

Security and access profiles are assigned to users on the User Manager form, where a user's login account is created. Set up and assign profiles that accurately reflect your enterprise and a user need only log into Essential with a single user ID and password to have the appropriate permissions at all applicable entities. Entity Access, General Security, and Hierarchy Security profiles are specified on the User Manager form as follows:

Just one Entity Access profile can be assigned to a user login account. Therefore, Entity Access profiles should contain all of the entities a user needs access to for all modules. (Hierarchy Security profiles can be established to grant privileges to a subset of these entities for each module.)
For each module that applies to a user login account, one General Security profile must be assigned. It is used to determine the entity-independent security objects and elements available to a user. Apply the same General Security profile for all modules or establish different ones.
For each module that applies to a user login account, one Hierarchy Security profile must be assigned. Apply the same Hierarchy Security profile to all modules or establish different ones. Hierarchy Security profiles associate a module and Entity Access profile with Entity-Dependent Security profiles. An Entity-Dependent Security profile can be assigned to one or more entities in the Entity Access profile. Use different Entity-Dependent Security profiles to grant different levels of authorization at different entities. A user will not have access to any entities that have not been assigned an Entity-Dependent Security profile. Specify a default Entity-Dependent Security profile for new Enterprise Entities associated with the Entity Access profile.

The default Entity-Dependent Security profile specified in the Hierarchy Security profile is also used to determine the entity-dependent security objects available to a user. The minimum authorization level, Read permissions, is required for a security object/element to be available. When your Hierarchy Security profile involves multiple Entity-Dependent Security profiles, the default Entity-Dependent Security Profile must contain at least Read permissions for every security object/element with permissions in the other Entity-Dependent Security profiles. If there are not at least Read permissions assigned in the default profile, the security objects/elements will not be available to the user regardless of the authorization granted in the other profiles. Refer to Hierarchy Security Example for more details about default Entity-Dependent Security profile designations.

Tip: The User Manager form provides an option to grant the user Administrative privileges; i.e., access to all the forms in the Administration folder in the Navigation Tree. Security profiles do not apply to administrative privileges.

Security Information Work Flow

Due to data interdependencies (e.g., Enterprise Entities must exist to set up Entity Access profiles), a suggested sequence for establishing security information is provided below.

General Security profiles
Entity-Dependent Security profiles
Enterprise Entities
Entity Access profiles
Hierarchy Security profiles
Contacts (and Contact Types if applicable)
User login accounts

It is strongly recommended that you use security profiles to protect the integrity of your database by limiting the access of certain users to important or sensitive information, such as the Material or Contacts and Personnel forms.

Hierarchy Security Example

This example describes how different levels of user authorization can be set up for different entities using a Hierarchy Security profile. The effects of the default Entity-Dependent Security profile designation are discussed following the hierarchical security setup.

Assume that, for the Compliance Manager module, your "Operations" user group needs Full Access privileges for "Entity A" and Read Only privileges for "Entity B". The following profiles have been established:

PROFILE	PROFILE NAME
General Security	Global
Entity-Dependent Security	1. Full Access Authorization 2. Read Only Privileges
Entity Access	Western Region Includes the following entities: Entity A Entity B Entity C

First, establish a Hierarchy Security profile called Compliance Operations.

Specify the Compliance Manager module and the Western Region Entity Access profile.
Assign the Full Access Authorization Entity-Dependent Security profile to "Entity A" and the Read Only Privileges Entity-Dependent Security profile to "Entity B".

Next, establish a user login account for each member of the "Operations" group.

Assign the Western Region Entity Access profile to the user.
Specify the Global General Security profile and the Compliance Operations Hierarchy Security profile for the Compliance Manager module.

Users in the "Operations" user group now have Full Access permissions to "Entity A" data and Read Only permissions for "Entity B" data in the Compliance Manager module. (Users do not have authorization to "Entity C" data because the entity was not associated with an Entity-Dependent Security profile in the Compliance Operations Hierarchy Security profile.)

Default Entity-Dependent Security Profile

If the Full Access Authorization Entity-Dependent Security profile is specified as the default for the Compliance Operations Hierarchy Security profile, any new entities, e.g., "Entity D", associated with the Western Region Entity Access profile would automatically be assigned the Full Access Authorization profile.

The default Entity-Dependent Security profile also determines which entity-dependent security objects and elements are available to a user. The minimum authorization level, Read permissions, is required for a security object/element to be available. For example, if no permissions are granted for the Enterprise Entity form, it will not be displayed as a link in the Navigation Tree.

When your Hierarchy Security profile involves multiple Entity-Dependent Security profiles, the default Entity-Dependent Security Profile must contain at least Read permissions for every security object/element with permissions in the other Entity-Dependent Security profiles assigned to entities, e.g., Full Access Authorization and Read Only Privileges in the example. If there are not at least Read permissions assigned in the default profile, the security objects/elements will not be available to the user regardless of the authorization granted in the other profiles. As illustrated in the example below, although the Full Access Authorization and Read Only Privileges profiles grant authorization to the Entity Compliance Owner security object, the Compliance Owner field will not appear on Enterprise Entity forms because no permissions have been assigned to the security object in the Default profile.

	Entity-Dependent Security Profile Permissions
Security Object	Default	Full Access Authorization	Read Only Privileges
Enterprise Entity Type	R	R, U, A, D	R
Enterprise Entity	R, U, A	R, U, A, D	R
Entity Compliance Owner		R, U, A, D	R
[R = Read, U = Update, A = Add, D = Delete]