Important
You are browsing the documentation for version 4.2 of OroCommerce, OroCRM and OroPlatform, which is no longer maintained. Read version 5.1 (the latest LTS version) of the Oro documentation to get up-to-date information.
See our Release Process documentation for more information on the currently supported and upcoming releases.
Access Levels and Ownership (Example)¶
The following sections provide some insight on how the ACL checks work. It is assumed that there are two organizations, Main Organization and Second Organization. The Main Organization contains the Main Business Unit, Second Organization contains Second Business Unit. Child Business Unit is a subordinate of Second Business Unit. Additionally, the following users have been created:
User |
Created in Organization |
Created in Business Unit |
Assigned to |
---|---|---|---|
John |
Main Organization |
Main Business Unit |
|
Mary |
Main Organization |
Main Business Unit |
|
Mike |
Second Organization |
Child Business Unit |
|
Robert |
Second Organization |
Second Business Unit |
|
Mark |
Second Organization |
Second Business Unit |
User Ownership¶
Imagine that each user created two accounts (one in Main Organization and one in Second Organization):
Created by |
Main Organization |
Second Organization |
---|---|---|
John |
Account A |
Account E |
Mary |
Account B |
Account F |
Mike |
Account G |
Account C |
Robert |
Account H |
Account D |
Mark |
Account I |
Account J |
The users can now access the accounts depending on the organization context they login into as described below:
John¶
Access Level |
Main Organization |
Second Organization |
---|---|---|
User |
|
|
Business Unit |
|
|
Division |
|
|
Organization |
|
|
Mary¶
Access Level |
Main Organization |
Second Organization |
---|---|---|
User |
|
|
Business Unit |
|
|
Division |
|
|
Organization |
|
|
Mike¶
The user Mike cannot login into the Main Organization.
Access Level |
Second Organization |
---|---|
User |
|
Business Unit |
|
Division |
|
Organization |
|
Robert¶
Access Level |
Main Organization |
Second Organization |
---|---|---|
User |
|
|
Business Unit |
|
|
Division |
|
|
Organization |
|
|
Mark¶
The user Mark cannot login into the Main Organization.
Access Level |
Second Organization |
---|---|
User |
|
Business Unit |
|
Division |
|
Organization |
|
Business Unit Ownership¶
When the ownership type is “Business Unit”, access cannot be granted on the user level. The minimum acccess level is the Business Unit level.
Imagine that the following data has been created:
Account |
Organization |
Business Unit |
---|---|---|
Account A |
Main Organization |
Business Unit A |
Account B |
Main Organization |
Business Unit A |
Account C |
Second Organization |
Business Unit C |
Account D |
Second Organization |
Business Unit B |
Account E |
Second Organization |
Business Unit B |
The users can now access the accounts as described below:
John¶
Access Level |
Main Organization |
Second Organization |
---|---|---|
Business Unit |
|
|
Division |
|
|
Organization |
|
|
Mary¶
Access Level |
Main Organization |
Second Organization |
---|---|---|
Business Unit |
|
|
Division |
|
|
Organization |
|
|
Mike¶
The user Mark cannot login into the Main Organization.
Access Level |
Second Organization |
---|---|
User |
|
Business Unit |
|
Division |
|
Organization |
|
Robert¶
Access Level |
Main Organization |
Second Organization |
---|---|---|
Business Unit |
|
|
Division |
|
|
Organization |
|
|
Mark¶
The user Mark cannot login into the Main Organization.
Access Level |
Second Organization |
---|---|
User |
|
Business Unit |
|
Division |
|
Organization |
|
Organization Ownership¶
When the ownership type is “Organization”, access cannot be granted on the user level, the business level or the division level. The minimum acccess level is the Organization level.
Imagine that the following data has been created:
Account |
Organization |
---|---|
Account A |
Main Organization |
Account B |
Main Organization |
Account C |
Second Organization |
Account D |
Second Organization |
Account E |
Second Organization |
The users can now access the accounts as described below:
John, Mary, Robert¶
Access Level |
Main Organization |
Second Organization |
---|---|---|
Organization |
|
|
Mike, Mark¶
The users cannot login into the Main Organization.
Access Level |
Second Organization |
---|---|
Organization |
|