Important

You are browsing documentation for version 5.0 of OroCommerce, OroCRM, and OroPlatform, maintained until August 2024 and supported until March 2026. Read version 5.1 (the latest LTS version) of the Oro documentation to get up-to-date information.

See our Release Process documentation for more information on the currently supported and upcoming releases.

Access Levels and Ownership (Example) 

The following sections provide some insight into how the ACL checks work. Suppose there are two organizations, Main Organization and Second Organization. The Main Organization contains the Main Business Unit, Second Organization contains Second Business Unit. Child Business Unit is a subordinate of Second Business Unit. Additionally, the following users have been created:

User

Created in Organization

Created in Business Unit

Assigned to

John

Main Organization

Main Business Unit

  • Main Business Unit

  • Child Business Unit

Mary

Main Organization

Main Business Unit

  • Main Business Unit

  • Second Business Unit

Mike

Second Organization

Child Business Unit

  • Child Business Unit

Robert

Second Organization

Second Business Unit

  • Main Business Unit

  • Second Business Unit

Mark

Second Organization

Second Business Unit

User Ownership 

Imagine that each user created two accounts (one in Main Organization and one in Second Organization):

Created by

Main Organization

Second Organization

John

Account A

Account E

Mary

Account B

Account F

Mike

Account G

Account C

Robert

Account H

Account D

Mark

Account I

Account J

../../../_images/user-ownership.png

The users can now access the accounts depending on the organization context they login into as described below:

John 

Access Level

Main Organization

Second Organization

User

  • Account A

  • Account E

Business Unit

  • Account A

  • Account B

  • Account H

  • Account E

  • Account C

Division

  • Account A

  • Account B

  • Account H

  • Account E

  • Account C

Organization

  • Account A

  • Account B

  • Account H

  • Account G

  • Account I

  • Account E

  • Account C

  • Account D

  • Account F

  • Account J

Mary 

Access Level

Main Organization

Second Organization

User

  • Account B

  • Account F

Business Unit

  • Account B

  • Account A

  • Account H

  • Account F

  • Account D

Division

  • Account B

  • Account A

  • Account H

  • Account F

  • Account D

  • Account C

  • Account E

Organization

  • Account B

  • Account A

  • Account H

  • Account G

  • Account I

  • Account F

  • Account D

  • Account C

  • Account E

  • Account J

Mike 

The user Mike cannot log in to the Main Organization.

Access Level

Second Organization

User

  • Account C

Business Unit

  • Account C

  • Account E

Division

  • Account C

  • Account E

Organization

  • Account C

  • Account E

  • Account D

  • Account F

  • Account J

Robert 

Access Level

Main Organization

Second Organization

User

  • Account H

  • Account D

Business Unit

  • Account H

  • Account A

  • Account B

  • Account D

  • Account F

  • Account E

Division

  • Account H

  • Account A

  • Account B

  • Account D

  • Account F

  • Account E

  • Account C

Organization

  • Account H

  • Account A

  • Account B

  • Account G

  • Account I

  • Account D

  • Account F

  • Account E

  • Account C

  • Account J

Mark 

The user Mark cannot log in to the Main Organization.

Access Level

Second Organization

User

  • Account J

Business Unit

  • Account J

Division

  • Account J

Organization

  • Account J

  • Account F

  • Account E

  • Account C

  • Account D

Business Unit Ownership 

When the ownership type is “Business Unit”, access cannot be granted on the user level. The minimum access level is the Business Unit level.

Imagine that the following data has been created:

Account

Organization

Business Unit

Account A

Main Organization

Business Unit A

Account B

Main Organization

Business Unit A

Account C

Second Organization

Business Unit C

Account D

Second Organization

Business Unit B

Account E

Second Organization

Business Unit B

../../../_images/business-unit-ownership.png

The users can now access the accounts as described below:

John 

Access Level

Main Organization

Second Organization

Business Unit

  • Account A

  • Account B

  • Account C

Division

  • Account A

  • Account B

  • Account C

Organization

  • Account A

  • Account B

  • Account C

  • Account D

  • Account E

Mary 

Access Level

Main Organization

Second Organization

Business Unit

  • Account A

  • Account B

  • Account D

  • Account E

Division

  • Account A

  • Account B

  • Account D

  • Account E

  • Account C

Organization

  • Account A

  • Account B

  • Account D

  • Account E

  • Account C

Mike 

The user Mark cannot log in to the Main Organization.

Access Level

Second Organization

User

  • Account J

Business Unit

  • Account J

Division

  • Account J

Organization

  • Account J

  • Account F

  • Account E

  • Account C

  • Account D

Robert 

Access Level

Main Organization

Second Organization

Business Unit

  • Account A

  • Account B

  • Account C

Division

  • Account A

  • Account B

  • Account C

Organization

  • Account A

  • Account B

  • Account C

  • Account D

  • Account E

Mark 

The user Mark cannot log in to the Main Organization.

Access Level

Second Organization

User

  • Account J

Business Unit

  • Account J

Division

  • Account J

Organization

  • Account J

  • Account F

  • Account E

  • Account C

  • Account D

Organization Ownership 

When the ownership type is “Organization”, access cannot be granted on the user, business, or division levels. The minimum access level is the Organization level.

Imagine that the following data has been created:

Account

Organization

Account A

Main Organization

Account B

Main Organization

Account C

Second Organization

Account D

Second Organization

Account E

Second Organization

../../../_images/organization-ownership.png

The users can now access the accounts as described below:

John, Mary, Robert 

Access Level

Main Organization

Second Organization

Organization

  • Account A

  • Account B

  • Account C

  • Account D

  • Account E

Mike, Mark 

The users cannot log in to the Main Organization.

Access Level

Second Organization

Organization

  • Account C

  • Account D

  • Account E