System SecurityLesson 10

Security of Organization Branches

Back to S200: SysAdmAdvanced

Lesson 10: Security of Organization Branches

Part 3: System Security

If your organization has multiple branches defined in Acumatica ERP, you may need to control which employees get access to which branches. Because branches share some data, you may also need to control access to the shared data. Acumatica ERP provides user access roles, which you can use to control users’ access to branches, and restriction groups to limit the visibility of shared data. In this lesson, you will learn about ways to manage the security of a branch.

Lesson Objectives You will do the following:

  • Create a branch role
  • Configure branch access roles
  • Create users and assign them to branches | User Access to Branches | 129

User Access to Branches

The most common scenarios of managing the security of company branches are the following:

  • Managing user access to branches: If your organization has multiple branches (and you have created multiple branches inAcumatica ERP), you can configure access to branches for employees who work in these branches.
  • Managing the visibility of data shared between branches: If you need to make data shared between branches (such as General Ledger accounts and subaccounts) visible only within a particular branch, you can use restriction groups to resolve this task.
    User Access to Branches After multiple branches have been defined in the system, you provide access to the branches for users who will work in the system as follows:
  1. You create branch-specific user roles (one role per branch) and assign these roles to user accounts on the User Roles (SM201505) form. To allow a user to access multiple branches, assign to him or her the roles for the branches to which the user should have access.
  2. For each branch, in the Access Role box of the Branches (CS102000) form, you select the user role created for this branch. Once a role is assigned to one of the branches, other branches also must have roles assigned. A branch with no role assigned will be inaccessible to any user.

If a user, based on his or her role, has access to a data entry form where this user enters a document and specifies the branch of origin, only the branches to which the user has access are available on the drop-down list. The users who have access to multiple branches can select the specific branch from the Branches menu on the form’s title toolbar, as shown in the following screenshot, and create documents on behalf of the selected branch. The following screenshot demonstrates a form of the Acumatica ERP instance where a company has multiple branches. The form title bar provides an option to select the organization branch.

Figure: Form title bar

No matter which branch users have access to, users who have access to the following forms, based on their roles, will see and work with all branches (because users configure system objects by using these forms):

  • Inter-Branch Account Mapping (GL101010)
  • Branches (CS102000)
  • Buildings (CS205010)
  • Assignment and Approval Maps (EP205000)
  • Import Company Tree (EP204060) | User Access to Branches | 130
  • Restriction Groups by Branch (GL103020)
  • GL Accounts by Branch Access (GL103040)
  • Subaccounts by Branch Access (GL103060)
    Visibility of Data Within a Branch Branches have some data shared between branches and some data kept as branch-specific. You may need to restrict the visibility of data that is shared but may contain sensitive information, such as General Ledger accounts and subaccounts. With restriction groups you can control which accounts and subaccounts are used with which branch.
 Multiple Branch Support

| Visibility by Branch | 131

Visibility by Branch

If your organization has users who have access to multiple branches, you can use restriction groups to narrow the lists of accounts and subaccounts on data entry forms by branch. With restriction groups set up in this way, users will make fewer mistakes when selecting accounts and subaccounts on data entry forms. For example, suppose that your organization has two branches—the Headquarters office (HQ in the system) and the Regional Sales office (RS). The accounting department processes documents for both branches. To configure the visibility restrictions of accounts and subaccounts by branch, you need to do the following:

  1. You configure user roles for each branch (for example, Branch HQ and Branch RS) and assign both roles to the user accounts of the accountants. With the roles assigned, the accountants will see information for both branches in Acumatica ERP.
  2. To configure the visibility of accounts within branches, you do the following on the GL Accounts by Branch Access (GL103040) form: a. You create two restriction groups of type A (with direct restriction): the HQ Accounts group for the Headquarters office and the RS Accounts group for the Regional Sales office. b. In the HQ Accounts group, you include the Headquarters branch (HQ) and the accounts that should be visible within the HQbranch. c. In the RS Accounts group, you include the Regional Sales branch (RS) and the accounts specific to the RS branch.
  3. To configure the visibility of subaccounts within branches, you do the following on the Subaccounts by Branch Access (GL103060) form: a. You create two restriction groups of type A (with direct restriction): the HQ Subaccounts group for the Headquarters office and the RS Subaccounts group for the Regional Sales office. b. In the HQ Subaccounts group, you include the HQ branch and the subaccounts that should be visible within this branch. c. In the RS Subaccounts group, you include the RS branch and the subaccounts specific to this branch. We do not recommend that you add both accounts and subaccounts in the same restriction groups. If you do, included accounts could not be used with subaccounts other than those also included to the group. After you have configured restriction groups for accounts and branches, or subaccounts and branches, the system will narrow the lists of accounts or the list of subaccounts on data entry forms after a user selects a branch. For example, suppose that an accountant is adding a bill on the Bills and Adjustments (AP30100) form and selects the HQ branch in the Branch column of the Document Details tab. In the Account column of the same tab, the accountant will see only accounts added to the HQ Accounts restriction group. | Step 10.1: Creating a Branch Role | 132

Step 10.1: Creating a Branch Role In this step, you will create a branch role. Perform the following instructions:

  1. Launch the AcumaticaERP application instance by clicking Start > Acumatica > AcumaticaERP.
  2. On the Welcome page of the instance, sign in to Company with the admin username and the 123 password.
  3. Navigate to the Enable/Disable Features form (CS100000; Configuration > Common Settings > Licensing).
  4. Verify that the Multi-Branch Support feature is selected, as shown in the following screenshot. With this feature enabled, you can create and maintain multiple branches in your instance of Acumatica ERP. Actually, you can see that the feature is enabled by having an option to select the organization branch; the branches are already created in the data set used in this training.
       Figure: Multi-Branch Support feature
  5. Navigate to the User Roles form (SM201005; Configuration > User Security > Manage).
  6. Create a new role as follows and save the changes:
  • Role Name: Software Inc Users
  • Description: Software Inc Users
  • Guest Role: Cleared The created group is shown in the screenshot below. | Step 10.1: Creating a Branch Role | 133
    Figure: User Role created
  1. Create a user role as follows and save the changes:
  • Role Name: MyStore Users
  • Description: MyStore Users
  • Guest Role: Cleared
  1. Create a user role as follows and save the changes:
  • Role Name: Eastern Users
  • Description: Eastern Users
  • Guest Role: Cleared
  1. Create a user role as follows and save the changes:
  • Role Name: Western Users
  • Description: Western Users
  • Guest Role: Cleared
    1. Create a user role as follows and save the changes:
  • Role Name: Yogifon Users
  • Description: Yogifon Users
  • Guest Role: Cleared | Step 10.2: Configuring Branch Access Roles | 134

Step 10.2: Configuring Branch Access Roles Perform the following instructions:

  1. Navigate to the Branches form (CS102000; Organization > Organization Structure > Configure).
  2. In the Branch ID box, select SOFT.
  3. On the General Info tab, in the Access Role box, select Software Inc Users.
  4. Save the changes. The role for the SOFT branch is specified, as you can see in the screenshot below.
       Figure: Access role selected for branch
  5. In the Branch ID box, select MYSTORE and in the Access Role box, select MyStore Users, then save the changes.
  6. In the Branch ID box, select EAST and in the Access Role box, select Eastern Users, then save the changes.
  7. In the Branch ID box, select WEST and in the Access Role box, select Western Users, then save the changes.
    1. In the Branch ID box, select YOGIFON and in the Access Role box, select Yogifon Users, then save the changes. | Step 10.3: Creating Users and Assigning Them to Branches | 135

Step 10.3: Creating Users and Assigning Them to Branches Perform the following instructions:

  1. Navigate to the Users form (SM201010; Configuration > User Security > Manage).
  2. Create a new user as follows and save the changes:
  • Login: eastuser
  • Generate Password: Cleared
  • Password: 123
  • First Name: East
  • Last Name: User
  • Email: your email address
  1. On the Roles tab, select the following check boxes and leave all other check boxes cleared:
  • Administrator
  • Eastern Users
  • Internal User The created user is shown in the screenshot below.
        Figure: User Role created
  1. Save the changes. In the same way, you can create users for the other branches.
  2. In the Login box, select the admin user.
  3. On the Roles tab, select the check boxes next to the roles created for branches, as shown in the following screenshot, and save the changes:
  • Eastern Users
  • MyStore Users | Step 10.3: Creating Users and Assigning Them to Branches | 136
  • Software Inc Users
  • Western Users
  • Yogifon Users
    Figure: New roles added for admin
    This gives the admin user access to all branches.
  1. Sign out and sign in back to Company as eastuser with 123 password.
  2. Navigate to the Journal Transactions form (GL301000; Finance > General Ledger > Work Area > Enter).
  3. Verify the following:
  • The branch selector on the form title bar contains only EAST branch, as shown in the following screenshot.
         Figure: Only one branch is available
  • You cannot navigate between transactions by clickingGo to Previous Record and Go to Next Record buttons because all existing transactions belong to another branch.
  1. Navigate to the Vendors form (AP303000; Finance > Accounts Payable > Work Area > Manage) and verify that all vendors can be viewed. | Step 10.3: Creating Users and Assigning Them to Branches | 137
  2. Navigate to the Vendor Summary form (AP401000; Finance > Accounts Payable > Work Area > Explore) and verify there are nothing to view because the transactions all occurred in another branch, as you can see in the following screenshot.
    Figure: Vendor Summary form
  3. Sign out and sign in back to Company as admin with 123 password.
  4. Navigate to the Journal Transactions form (GL301000; Finance > General Ledger > Work Area > Enter).
  5. Verify the following:
  • The branch selector on the form title bar contains all branches, as shown in the following screenshot.
         Figure: All branches available
  • You can navigate between transactions by clickingGo to Previous Record and Go to Next Record buttons.
  1. Navigate to the Vendors form (AP303000; Finance > Accounts Payable > Work Area > Manage) and verify that all vendors can be viewed.
  2. Navigate to the Vendor Summary form (AP401000; Finance > Accounts Payable > Work Area > Explore), select the Software Inc branch and verify there are many transactions, as you can see in the following screenshot. | Step 10.3: Creating Users and Assigning Them to Branches | 138

Figure: Vendor Summary form | Lesson Summary | 139

Lesson Summary

In this lesson, you learned about limiting access to warehouses and inventory items in Acumatica ERP. You also learned about subitem codes and that you can configure subitem restriction groups. Review Questions:

  • In brief, why are branch restrictions important?
  • When the branch restrictions should be used? | Part 4: Implementation and Configuration | 140