Levels
The Levels feature (part of Segregation of Duties) enables the user to administer User access down to an individual record level.
The Level is a numeric value between 1 and 9999, 1 being the highest level of access. This gives the flexibility to deal with even the most complex administrative requirements.
Levels are controlled by settings within Security Profiles and within individual Records.
Users are given Levels by the Profile to which they are attached.
Records can either be left with the default Level of 0 (no Level control) or can be given a Level > 0, which will restrict the usage of that record to Users with specific Levels.
If a record has Level 0 (no Levels control), all Users can view edit and delete that record, subject to module access permissions.
Every time a User (with a Level) attempts to access a record (with a Level), the system compares their Level to the record’s Level to determine whether the user is allowed to view or use that record.
The Next and Previous buttons on the record window are disabled to prevent the User from moving to records to which they do not have access.
Can view and amend an individual record’s Level via the Info button on the main record window.
It would be impractical to administer Levels on a record-by-record basis, therefore Levels are specified within Security Profiles.
Within a Security Profile, when looking at Records, specify two default Levels: the Enter/Amend Level which will be assigned to all records entered by Users with this Profile and the Work with Level which is referred to when Users with this Profile are processing Transactions.
Both levels apply to records.
The Work with level must be higher in seniority than the Enter/Amend level.
If attempting to enter a Work with a level that is lower in seniority than the Enter level, the system displays a warning and does not allow the user to continue.
Only the Work with level applies to transactions.
For example, may assign Level 1 to company directors and the system administrator, thereby giving them access to all records. Then you may assign Level 10 to the next most senior members of the team and continue to increase the Levels by increments of 10 as the users become more junior.
Users will be able to Enter/Amend or Work with all records with the Level specified in their Security Profile and those that are numerically greater.
There is also an Exact option to specify that users can only work with records which exactly match their level. If this is set, then both the Enter/Amend and Work with levels must be the same.
Other Considerations...
What happens when, for example, a Customer’s default Analysis Code carries a Level numerically less than that of the User entering a sales transaction?
E.g. Customer 20, Sales Analysis 10, User’s Work with 20.
This presents the situation whereby the User is authorised to work with the Customer record, but not with the Analysis record. In this situation, the system retains the default Analysis Code but, if the user attempts to specify a different Analysis Code, the system will only allow them to use an Analysis Code with a Level at or numerically greater than their own (or at their own Level only if the Exact option has been selected).
Setting up Levels
Levels are not required - all records will be assigned Level 0 if no levels are set up, thereby allowing full access to all users with the appropriate module access permissions.
If Levels are to be used, only the System Administrator and Directors would be given Enter/Amend Level of 1, as they are the only users with full access to all the records. Then Level 0 becomes a global Level where if a record has Level 0 everyone can see it.
The next most senior staff may be given a Level of 10. Then Levels are increased by increments of 10 as they become more junior.
The system then begins to work as shown below, (ignoring Enter/Amend and Work With for now). A tick indicates that the User can use the record.
USER LEVEL IN PROFILE
RECORD LEVEL
User 1 Customer Level 20
N: Customer 1 - Level 10
Y: Customer 2 - Level 20
Y: Customer 3 - Level 30
Y: Customer 4 - Level 40
User 1 Supplier Level 30
N: Supplier 1 - Level 10
N: Supplier 2 - Level 20
Y: Supplier 3 - Level 30
Y: Supplier 4 - Level 40
User 1 Analysis Level 40
N: Analysis 1 - Level 10
N: Analysis 2 - Level 20
N: Analysis 3 - Level 30
Y: Analysis 4 - Level 40
Set up Profile Levels
Levels are set up on each Security Profile and therefore apply to all Users assigned to that Profile.
To set up a Security Profile:
Select Security Profiles and the Security Profiles window will be displayed.
Click on the Maximise button on the screen to ensure that the whole window is visible.
Initially, this will be blank, either browse to an existing Profile and use the Duplicate button to copy the settings to a new Profile.
Alternatively, click on Insert.
Enter a Code and Description for the new Profile. Note: It is a good idea to first set up default Levels for this Profile.
Click on the Level Defaults button.
Enter the appropriate Levels in the Enter/Amend (Records) and Work with (Transactions) fields.
Either set the default levels to Apply to all Modules, or manually select the modules to which the Levels need to apply.
If the Levels of records are already set within the security profile, these settings will overwrite any existing settings on the selected modules.
It’s possible to specify the Levels to be Exact - this limits the user to only those records which exactly match the level specified here.
These settings will be applied to all records in the selected modules, overriding any individual record settings.
These can then be altered individually, as described below.
Click on OK to save these settings and apply the Levels specified to the selected modules.
Set the Default Options top of the Security Profiles window to either Full, View or No Access.
Set the Default Menu items to either Enabled or Disabled as required. This selection can also be made before clicking on the Insert button.
In the Menu and Options area, set the rights for each Module and function within them.
Clicking on a Module in the Menu list (such as Sales Ledger) lists the functions within the Module.
Clicking on a function lists the sub-functions within that element.
Clicking on a sub-function will list the individual items that can be controlled.
When working with Records, the Levels currently assigned to them are shown and additional fields are displayed at the bottom of the window so that its possible to set Enter/Amend and Work With Levels (and select Exact if required), on a record by record basis, rather than by Module (in the Level Defaults described above).
Then click on OK to save the changes.
Can insert a Profile and adjust the defaults later.
Once a User has been assigned to a Profile, logging in as that User will invoke the settings currently set for that Profile.
Set up Record levels
Each record within the system can have Level attributes.
This information is on the window displayed by the Info button on the record screen.
If not specifically entered, they will default to the User’s Enter Level from their Profile.
Alternatively, the User can enter any value that is equal to their level or is numerically greater manually. If Exact has been specified, then they can only enter a value equal to their level.
If a record is given a Level of 0, this will allow anyone to use it, there will be no Level control over its use.
Note: Only a User with no Levels can insert a record with a Level of 0, so if this is required, a special Profile will be required whose Levels are left blank.
These attributes will be used when the User tries to view or edit a record, or process transactions that involve that record.
Transaction processing
Entry of transactions is naturally controlled by the User having rights (view, edit or create) to Work With the relevant records (i.e. to raise a Sales Order for a Stock item, you need rights for Customer and Stock records and rights for Sales Analysis records).
For processing transactions from Batch, you need the rights to the primary record.
Examples
Customer permissions for updating Sales Orders and Receipts.
Supplier permissions for updating Purchase Orders and Payments.
Nominal Records permissions for updating Journals
Projects permissions for updating Time Sheets.
Processing from Batch specifically does not segregate by say Resource, Sales Analysis or Purchase Analysis.
Stock Takes and Sub Analysis Transfer will also apply for the User’s Work With list for the main Stock Record but will also only show Sub Analysis records which the User has permission to work with via their Security Level.
Assembly Stock records and all the included Component records must be within a User’s Stock Record Work With list.
Special notes about Defaults
The system has ‘default’ settings for Bank, Sales, Purchase and Discount Analysis. These may be currency or Stock Record dependent.
The ruling for how these work with Levels is:
The system delivered defaults (i.e. where entered by the system and NOT typed in by the user or selected from a tab-off list) fall OUTSIDE the Levels control.’
An example of how this may affect a user is as follows:
The Customer record has been set-up without a specific bank default analysis.
The default Bank Analysis record has no Level set against it as it was entered by the Accountant and he has chosen not to apply a Level.
On the detail line of the transaction entry, the Admin staff are required to use a Sales Bank Analysis, the system ‘delivers’ the default.
At this stage, the operator can simply accept that default and tab past, in which case Level verification is not performed. Should the user tab off for a Code or type a Code in (even if it is the default that is typed in) Levels will apply and in this example entry would not be permitted to that account.
In this example, if it were thought to be a problem, a second Bank Sales Analysis could be set up in a different setting.
If a record’s Code is entered on another record as a default setting, e.g. Sales Analysis on the Stock Selling Price table, then it is assumed to have a Level of 0 (i.e. can be seen by all Users).
However when processing a Transaction using, for example, a Stock record, if the Analysis Code (correctly entered by the system as the default to use), is then changed, altered, edited, deleted etc., in any way, the subsequent popup for the Analysis Code will be the User’s restricted list.
The system delivered defaults include all types of defaults where the system is recommending the Analysis code – this may be coming from the Customer Record, the System Control, the currency record, the Stock Record etc.
Default Levels
Note: Dimensions Only - This feature is not available in Dimensions Lite.
It is a good idea when setting up a Security Profile to first set up default Levels.
Select the Level Defaults button, the default Levels window will be displayed:
Enter the appropriate Levels in the Enter/Amend (Records) and Work with (Transactions) fields.
A Level of 0 can be entered, this means that there will be no Levels control. Note: The Users given this Security Profile can view, edit and delete any record subject to module access permissions.
Enter a Level > 0 to restrict Users with this profile to records with specific Levels. Every time a User attempts to access a record, that contains a Level, the system compares their Security Profile Level to the Level held on the record to determine whether the User is allowed to view or use that record.
Either set the default levels to Apply to all Modules, or manually select the modules to which you want the Levels to apply.
If the Levels of records within the Security Profile have been set already, these settings will overwrite any existing settings on the selected modules.
You can specify Levels to be Exact - this limits the user to only those records which exactly match the level specified here.
These settings will be applied to the selected modules in this Profile, overriding any individual settings. These can then be altered individually.
Click on OK to save these settings and apply the Levels specified to the selected modules in this Profile.
Additional Notes
On entry to the Security Profile, all fields and windows are blank.
Selection of an existing Profile and pressing the Edit button shows modules which are available and/or unavailable by means of a green tick or Red Cross.
Insertion of a new Profile without setting the defaults will result in all menus, submenus and options being disabled/unavailable. All modules are shown in a tree structure format.
Clicking on the text next to the tick or cross will expand the options.
Following assignment of a User to the Profile, that User’s options would be applicable the next time they logged onto Accounts.