Troubleshooting Authorization Role Assignments
When using the system, it may become apparent that certain users do not have the proper access to the system required for their job. They may not be able to view a specific screen and/or they may not have the needed level of permission to functionality. Conversely, they may have access to screens and/or levels of functionality they should not have. The following pages provide information to help resolve these issues.
-
Users may need assignments to more roles in addition to the ones they inherit through the Organization Unit screen.
-
All the roles and policies currently assigned to an employee can be viewed on
. -
Roles can be assigned directly to an employee through the Roles screen in the employee record. For more information, see Steps for Adding an Employee-Level Role.
-
-
Users may need to have an assigned role deleted or denied. Roles assigned directly to the employee through their employee record can be deleted or denied. Roles inherited through the organization unit need to be re-assigned directly in the employee record and then denied there. For more information, see Steps for Deleting/Denying an Employee-Level Role
-
An existing (non-Standard) role may need to be updated to change the access level or functionality. Remember that any changes to a role will update the access for all employees assigned to that same role. Standard roles cannot be edited- a new role must be created and modified.
-
A new role may need to be created if none of the existing roles meet the needs for a particular user or groups of users. New roles can be created by adding a role or by replicating an existing role that has most of the required attributes, and then modifying it to change the access. A replicated role can also be replicated again, and modified to create another role with different attributes. For more information, see Steps for Adding a New Authorization Role and Steps for Replicating an Authorization Role.
Note
For authorization to be granted for any policy of the system, all necessary permissions must exist in one role. For example, there cannot be Read access on one role with the desired data access, but Edit access on another role which does not have the desired data access. Otherwise, the users will only have read access.
Note
When troubleshooting any type of authorization issue, the first step is to treat each role as if it were the only role to grant the user access to the feature, and then investigate the issue from that standpoint.
Related Reports and Screens:
The following reports/screens can also be used to troubleshoot issues with roles. Reports are located under
. Click on the links below for more information on the report and a screen print of the report:
This report shows all assigned policies for a given authorization role, and the levels of access for each policy. |
|
This report shows all the assignment roles and the users/employees assigned to that role. |
|
This report lists all the roles that grant access to a specific policy, including non-standard roles. The individual roles displayed in this report can be expanded to list the details of the policy. |
|
This report lists the policy differences between two selected authorization roles. |
|
This report lists the authorization policy information for the specified employee, indicating the level of access to each of the screens/fields allowed to the employee. |
|
This report lists policies where access is given to a screen or policy, but not to the "parent" policy. The parent policy is a policy that is listed at a higher structure level in the Role Authorization Control Hierarchy tree. Users may not be able to get to the screen they have permission to. |
|
This report shows edits made to authorization assignment data during the indicated date range. Information includes new assignments and edits to assignments for roles. Note This report is listed on the Audit card. |
|
This screen shows the roles currently assigned to an employee. It also displays the policies assigned to an employee and the roles granting access to the policies. |
The following topics are available on this page: Authorization to Approve, Deny, or Cancel a Request Denying Access to a Specific Section, Card, or Screen Granting Access to a Required Screen Setting Access to a Specific Field on a Record Setting Read, Create, Edit, and/or Delete Access to Records Setting Supervisor Approval Requirements of Employee-Submitted Transactions |
The following related topics are available: Steps for Adding a New Authorization Role |