on 2024 Nov 14 2:38 PM
Greetings, community,
We have a client who wishes to implement specific role restrictions in EHS within their location hierarchy. The objective is to ensure that certain roles have access only to certain sublocations, without any visibility into their parent sites or higher levels in the hierarchy.
We have experimented with authorization groups to enforce these restrictions. However, this approach does not allow for the inclusion of child locations without also granting access to their parent sites.
Can anyone suggest alternative solutions or best practices on how to effectively achieve this configuration within the system? Your insights would be greatly appreciated.
#EHS #locations #authorization #roles #restriction #sublocation
Request clarification before answering.
The question you are asking is quite a common question in the implementation of the EHS module/component. Let's start with a small example location structure so that I can explain the approach to the issue in an easier way:
(1) ACME Industries
(1.1) ACME Europe
(1.1.1) ACME Germany
(1.1.1.1) Plant Walldorf
(1.1.1.1.1) Storage Facility
(1.1.2) ACME Norway
(1.1.2.1) Plant Oslo
(1.1.2.1.1) Storage Facility
(1.2) ACME Americas
(1.2.1) ACME Canada
(1.2.1.1) Plant Vancouver
(1.2.1.1.1) Production Facility
(1.2.2) ACME Mexico
(1.2.2.1) Plant Queretaro
(1.2.2.1.1) Production Facility
Explanation for the above structure: The location structure is split into the Regions (1.1 ACME Europe and 1.2 ACME Americas), followed by Countries (1.1.1 Germany, 1.1.2 Norway, 1.2.1 Canada, and 1.2.2 Mexico), down to a Plant Level (1.1.1.1 Walldorf, 1.1.1.2 Oslo, 1.2.1.1 Vancouver, and 1.2.2.1 Queretaro).
To start with with the setup of the structure, a clear taxonomy of the location types must be set. As an example, (L1) Company - (L2) Region - (L3) Country - (L4) Plant - ... can be used. Therefore, any location at Level 2 will be of type Country. (at lower levels, you might want to be more generic, it could be storage/production/buildings, etc.)
This will solve the first part of your question: We can ensure that a certain group of users only has access to specific levels of the location structure, e. g. starting from a (L4) Plant level.
For the second part of the question, the authorization groups can be used. First, you have to define from which level onward the users shall be authorized. As an example, we again start at an (L4) Plant level. For every branch (starting from plant level), we can configure one authorization group, e. g. authorization group ACME Germany / Walldorf and ACME Norway / Oslo.
In the authorization object EHFND_LOC, you can assign both, the location type, and the authorization group.
For the higher levels, we usually allow the users to see those. If you don't want them to be visible, you can assign an authorization group there as well, e. g. ACME Germany.
This results in the following location types and authorization groups:
Level | Location | Location Type | Location Auth. Group |
1 | (1) ACME Industries | Company | ACME |
2 | (1.1) ACME Europe | Region | ACME-EURO |
3 | (1.1.1) ACME Germany | Country | ACME-EURO-DE |
4 | (1.1.1.1) Plant Walldorf | Plant | ACME-EURO-DE-WDF |
5 | (1.1.1.1.1) Storage Facility | Facility | ACME-EURO-DE-WDF |
3 | (1.1.2) ACME Norway | Country | ACME-EURO-NO |
4 | (1.1.2.1) Plant Oslo | Plant | ACME-EURO-NO-OSL |
5 | (1.1.2.1.1) Storage Facility | Facility | ACME-EURO-NO-OSL |
2 | (1.2) ACME Americas | Region | ACME-AMER |
3 | (1.2.1) ACME Canada | Country | ACME-AMER-CA |
4 | (1.2.1.1) Plant Vancouver | Plant | ACME-AMER-CA-YVR |
5 | (1.2.1.1.1) Production Facility | Facility | ACME-AMER-CA-YVR |
3 | (1.2.2) ACME Mexico | Country | ACME-AMER-MX |
4 | (1.2.2.1) Plant Queretaro | Plant | ACME-AMER-MX-QRO |
5 | (1.2.2.1.1) Production Facility | Facility | ACME-AMER-MX-QRO |
With the above location structure set up and the authorization groups configured, we can create the authorization roles (PFCG):
Now, if we setup an authorization role (PFCG) for plant Walldorf, we put in the location types "Plant" and "Facility". In addition, we put in the authorization group "ACME-EURO-DE-WDF". This will ensure that the user does not see any other locations (siblings and/or parents).If you want the higher-up locations to be visible, you can also assign the respective location types and location authorization groups.
With kind regards,
Michael
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.