Acumatica provides role-based security so you can manage security rights at several levels. In this article we describe a way to provide access to screens without adding them to the menu structure.
Data: SalesDemo demo data from partner portal
Acumatica allows you to set role-based rights by:
- Suites: Finance, Distribution, Configuration, etc.
- Modules: General Ledger, Accounts Payable, etc.
- Screen: any Acumatica screen
- Field: any Acumatica screen
- Field-value levels: using row-level security
There are situations where users may need read-only access to screens or reports in a module because they are referenced from other screens or drill-downs.
If you change access rights in the normal way, the screen will be visible in the menu structure within Acumatica.
Assume we have users who need to enter customer invoices in Accounts Receivable, but should not be able see or access the General Ledger module.
This is quite easy to setup, but in the Financial Details tab of the Invoices and Memos screen (AR301000) there is a link to the GL batch that is created when the invoice is released. We want to grant our users read-only access to this GL batch screen without having the General Ledger appear in the main menu.
In this scenario, the challenge is to setup granular security rights without creating complex security administration.
To implement this, we will perform the following steps:
- Create new role and assign the appropriate security rights.
- Add a duplicate link to your read-only screens or reports in a hidden folder on the site map
- Update the access rights to include the hidden area
These steps can be accomplished in a minute or two. More importantly, this implementation is easy to maintain.
Step 1: Create and assign new role
I this step we create a new role that we can add to our salespeople and assign the appropriate security rights.
- Navigate to the User Roles (Configuration > User Security > User Roles) screen and add a new role. I called it SALESAR.
- Go to access rights by role and select the new role you created.
- Set Finance Suite permission to Granted
- Set Accounts Receivable permission to View Only
- Set Invoices and Memos permission to Insert
- Set Finance Suite permission to Granted
- Navigate to the Users screen and assign this role to the user “williams” in the SalesDemo data.
- After assigning the SALESAR role to our sales person, they can see the Accounts Receivable module, but not
- With these settings, a user with the SALESAR role can see enter invoices, but if the person navigates to the Financial Details tab and clicks the batch number, they receive an error “You have insufficient rights to access object (Journal Entry)”.
- NOTE: the module only appears if the user has access to two or more modules. If the user has access to Accounts Receivable only, then it will not appear. If the user has access to two modules in the Financial Suite, then both will appear.
Step 2: Add a Duplicate Link to your Report or Form in a Hidden Folder
Follow the steps below to add a duplicate link to your read-only screens or reports in a hidden folder on the site map.
- Open the Site Map (SM200520, System -> Customization -> Manage)
- Add the Journal Transactions (GL301000) form to the Hidden folder, as shown in the screen shot. When you add a form to the Hidden folder, it is not displayed in the navigation pane, but you can access it by using the Id or from another form.
Step 3: Assign View-Only Rights to the Screen(s) in the Hidden Folders
When you add a form to the Hidden folder, it is not displayed in the navigation pane, but you can access it by using the Id or from another form. In this step we grant rights to view the screen that we just added to the hidden folder.
- Return to the Access Rights by Role screen, select the SALESAR role, and grant view-only to the Journal Transactions screen you just added.
- Test the change by logging in as williams, navigating to the Invoice and Memos screen, and Clicking the Batch Nbr. link in the Financial Details tab. The screen below shows my result.
- Notice two things: the journal entry appears in view-only mode and the Journal Transactions screen (as well as the General Ledger module) does not appear in the menu.
Acumatica role-based security allows you to define granular usage rights for suites, modules, screens, and fields. As a web-application, Acumatica allows convenient access to related data by drilling down or into from forms and reports.
- Forms examples: Drill into GL transactions from various transactions, drill into sales orders from purchase orders, navigate to CRM data from AR invoices or sales orders, etc.
- Report examples: generic inquiries can drill into other generic inquiries or screens.
The drill down can cross suites or modules. When this happens, users may receive an insufficient rights error when they click a link. If you do not want your users to see this error message, you can (1) hide the offending field using standard access rights or (2) copy the screen to a hidden folder and provide access to it via the hidden folder.
In this article we showed how to perform the second technique so you can provide access to the screen without having the screen appear in Acumatica menus. Have further questions or want to learn about more cool features in Acumatica? Join us for Acumatica Summit 2017 in San Diego January 29 through February 3. I look forward to seeing you there!