Denying Access to a Specific Section, Card, or Screen

Issue: Users have permission to sections, cards or screens they should not be able to access.

Troubleshooting Tips:

The user may have inherited access to a screen through an organization unit role, or the user may have been assigned to the wrong role. The role itself can be modified to remove access to that specific screen.

Check the Employee record > TCS > Employee Authorization Information Card to view the policies assigned to an employee, and to determine the role granting access to that policy (screen).

• Deny or Delete the employee role that gives them access to the screen.

  • If the role is assigned to the employee through the Organization Unit screen, the role must be added to the employee Role screen with the access set to Denied.

  • If the role is assigned to the employee through the Roles screen, the existing role can be updated to be Denied.

  • Be sure that the user will still be able to access required screens if the role is removed. Multiple screens and/or functions may be granted to users with a single role.

  • The user can be assigned to another role with the required functionality access.

• An existing non-standard role can be updated to remove access to the screen.

• A new role can be created which has the required access and assigned to the user.

Deny or Delete the employee role that gives them access to the screen:

If the role was assigned to the employee directly, it can be deleted or denied from the Roles screen.

Deleting the Role

1. Search for the employee record and open the Roles screen.

2. Check the box to the left of the role to select it.

3. Click on the Delete Selected button in the Role Actions section in the left pane.

4. The role is removed from the screen.

Denying the Role

1. An alternative method is to open the record by clicking on the folder.

2. Set the Denied field to Yes and save the record.

3. The role is still visible in the employee's Role screen. A check mark is displayed in the Is Denied column to indicate the role is not active for this employee.

If the role was assigned to the employee via the Organization Unit screen, it must be added to the employee record and denied there.

1. Search for the employee record and open the Roles screen.

2. Click on the Add button to add a new role.

3. Search for and select the same inherited role that should be denied.

4. Set the Denied field to Yes.

5. The role is displayed in the employee Role screen. A check mark is displayed in the Is Denied column to indicate the role is not active for this employee.

Update an existing role to remove access to the screen:

1. From Configuration > System, open the Roles screen.

2. Search for and open the role.

3. In the Authorization Policy Hierarchy in the left pane, navigate to the parent level of the policy that needs to be modified. Click on the Remove button to remove the policy from the role. The button changes to Add.