Important

You are browsing the documentation for version 4.2 of OroCommerce, OroCRM and OroPlatform, which is no longer maintained. Read version 5.1 (the latest LTS version) of the Oro documentation to get up-to-date information.

See our Release Process documentation for more information on the currently supported and upcoming releases.

Access Levels and Ownership (Example)

The following sections provide some insight on how the ACL checks work. It is assumed that there are two organizations, Main Organization and Second Organization. The Main Organization contains the Main Business Unit, Second Organization contains Second Business Unit. Child Business Unit is a subordinate of Second Business Unit. Additionally, the following users have been created:

User

Created in Organization

Created in Business Unit

Assigned to

John

Main Organization

Main Business Unit

  • Main Business Unit

  • Child Business Unit

Mary

Main Organization

Main Business Unit

  • Main Business Unit

  • Second Business Unit

Mike

Second Organization

Child Business Unit

  • Child Business Unit

Robert

Second Organization

Second Business Unit

  • Main Business Unit

  • Second Business Unit

Mark

Second Organization

Second Business Unit

User Ownership

Imagine that each user created two accounts (one in Main Organization and one in Second Organization):

Created by

Main Organization

Second Organization

John

Account A

Account E

Mary

Account B

Account F

Mike

Account G

Account C

Robert

Account H

Account D

Mark

Account I

Account J

../../../_images/user-ownership.png

The users can now access the accounts depending on the organization context they login into as described below:

John

Access Level

Main Organization

Second Organization

User

  • Account A

  • Account E

Business Unit

  • Account A

  • Account B

  • Account H

  • Account E

  • Account C

Division

  • Account A

  • Account B

  • Account H

  • Account E

  • Account C

Organization

  • Account A

  • Account B

  • Account H

  • Account G

  • Account I

  • Account E

  • Account C

  • Account D

  • Account F

  • Account J

Mary

Access Level

Main Organization

Second Organization

User

  • Account B

  • Account F

Business Unit

  • Account B

  • Account A

  • Account H

  • Account F

  • Account D

Division

  • Account B

  • Account A

  • Account H

  • Account F

  • Account D

  • Account C

  • Account E

Organization

  • Account B

  • Account A

  • Account H

  • Account G

  • Account I

  • Account F

  • Account D

  • Account C

  • Account E

  • Account J

Mike

The user Mike cannot login into the Main Organization.

Access Level

Second Organization

User

  • Account C

Business Unit

  • Account C

  • Account E

Division

  • Account C

  • Account E

Organization

  • Account C

  • Account E

  • Account D

  • Account F

  • Account J

Robert

Access Level

Main Organization

Second Organization

User

  • Account H

  • Account D

Business Unit

  • Account H

  • Account A

  • Account B

  • Account D

  • Account F

  • Account E

Division

  • Account H

  • Account A

  • Account B

  • Account D

  • Account F

  • Account E

  • Account C

Organization

  • Account H

  • Account A

  • Account B

  • Account G

  • Account I

  • Account D

  • Account F

  • Account E

  • Account C

  • Account J

Mark

The user Mark cannot login into the Main Organization.

Access Level

Second Organization

User

  • Account J

Business Unit

  • Account J

Division

  • Account J

Organization

  • Account J

  • Account F

  • Account E

  • Account C

  • Account D

Business Unit Ownership

When the ownership type is “Business Unit”, access cannot be granted on the user level. The minimum acccess level is the Business Unit level.

Imagine that the following data has been created:

Account

Organization

Business Unit

Account A

Main Organization

Business Unit A

Account B

Main Organization

Business Unit A

Account C

Second Organization

Business Unit C

Account D

Second Organization

Business Unit B

Account E

Second Organization

Business Unit B

../../../_images/business-unit-ownership.png

The users can now access the accounts as described below:

John

Access Level

Main Organization

Second Organization

Business Unit

  • Account A

  • Account B

  • Account C

Division

  • Account A

  • Account B

  • Account C

Organization

  • Account A

  • Account B

  • Account C

  • Account D

  • Account E

Mary

Access Level

Main Organization

Second Organization

Business Unit

  • Account A

  • Account B

  • Account D

  • Account E

Division

  • Account A

  • Account B

  • Account D

  • Account E

  • Account C

Organization

  • Account A

  • Account B

  • Account D

  • Account E

  • Account C

Mike

The user Mark cannot login into the Main Organization.

Access Level

Second Organization

User

  • Account J

Business Unit

  • Account J

Division

  • Account J

Organization

  • Account J

  • Account F

  • Account E

  • Account C

  • Account D

Robert

Access Level

Main Organization

Second Organization

Business Unit

  • Account A

  • Account B

  • Account C

Division

  • Account A

  • Account B

  • Account C

Organization

  • Account A

  • Account B

  • Account C

  • Account D

  • Account E

Mark

The user Mark cannot login into the Main Organization.

Access Level

Second Organization

User

  • Account J

Business Unit

  • Account J

Division

  • Account J

Organization

  • Account J

  • Account F

  • Account E

  • Account C

  • Account D

Organization Ownership

When the ownership type is “Organization”, access cannot be granted on the user level, the business level or the division level. The minimum acccess level is the Organization level.

Imagine that the following data has been created:

Account

Organization

Account A

Main Organization

Account B

Main Organization

Account C

Second Organization

Account D

Second Organization

Account E

Second Organization

../../../_images/organization-ownership.png

The users can now access the accounts as described below:

John, Mary, Robert

Access Level

Main Organization

Second Organization

Organization

  • Account A

  • Account B

  • Account C

  • Account D

  • Account E

Mike, Mark

The users cannot login into the Main Organization.

Access Level

Second Organization

Organization

  • Account C

  • Account D

  • Account E