Important

You are browsing upcoming documentation for version 6.0 of OroCommerce, OroCRM, and OroPlatform, scheduled for release in 2024. Read version 5.1 (the latest LTS version) of the Oro documentation to get up-to-date information.

See our Release Process documentation for more information on the currently supported and upcoming releases.

Access Levels and Ownership (Example)

The following sections provide some insight into how the ACL checks work. Suppose there are two organizations, Main Organization and Second Organization. The Main Organization contains the Main Business Unit, Second Organization contains Second Business Unit. Child Business Unit is a subordinate of Second Business Unit. Additionally, the following users have been created:

User Created in Organization Created in Business Unit Assigned to
John Main Organization Main Business Unit
  • Main Business Unit
  • Child Business Unit
Mary Main Organization Main Business Unit
  • Main Business Unit
  • Second Business Unit
Mike Second Organization Child Business Unit
  • Child Business Unit
Robert Second Organization Second Business Unit
  • Main Business Unit
  • Second Business Unit
Mark Second Organization Second Business Unit  

User Ownership

Imagine that each user created two accounts (one in Main Organization and one in Second Organization):

Created by Main Organization Second Organization
John Account A Account E
Mary Account B Account F
Mike Account G Account C
Robert Account H Account D
Mark Account I Account J
../../../_images/user-ownership.png

The users can now access the accounts depending on the organization context they login into as described below:

John

Access Level Main Organization Second Organization
User
  • Account A
  • Account E
Business Unit
  • Account A
  • Account B
  • Account H
  • Account E
  • Account C
Division
  • Account A
  • Account B
  • Account H
  • Account E
  • Account C
Organization
  • Account A
  • Account B
  • Account H
  • Account G
  • Account I
  • Account E
  • Account C
  • Account D
  • Account F
  • Account J

Mary

Access Level Main Organization Second Organization
User
  • Account B
  • Account F
Business Unit
  • Account B
  • Account A
  • Account H
  • Account F
  • Account D
Division
  • Account B
  • Account A
  • Account H
  • Account F
  • Account D
  • Account C
  • Account E
Organization
  • Account B
  • Account A
  • Account H
  • Account G
  • Account I
  • Account F
  • Account D
  • Account C
  • Account E
  • Account J

Mike

The user Mike cannot log in to the Main Organization.

Access Level Second Organization
User
  • Account C
Business Unit
  • Account C
  • Account E
Division
  • Account C
  • Account E
Organization
  • Account C
  • Account E
  • Account D
  • Account F
  • Account J

Robert

Access Level Main Organization Second Organization
User
  • Account H
  • Account D
Business Unit
  • Account H
  • Account A
  • Account B
  • Account D
  • Account F
  • Account E
Division
  • Account H
  • Account A
  • Account B
  • Account D
  • Account F
  • Account E
  • Account C
Organization
  • Account H
  • Account A
  • Account B
  • Account G
  • Account I
  • Account D
  • Account F
  • Account E
  • Account C
  • Account J

Mark

The user Mark cannot log in to the Main Organization.

Access Level Second Organization
User
  • Account J
Business Unit
  • Account J
Division
  • Account J
Organization
  • Account J
  • Account F
  • Account E
  • Account C
  • Account D

Business Unit Ownership

When the ownership type is “Business Unit”, access cannot be granted on the user level. The minimum access level is the Business Unit level.

Imagine that the following data has been created:

Account Organization Business Unit
Account A Main Organization Business Unit A
Account B Main Organization Business Unit A
Account C Second Organization Business Unit C
Account D Second Organization Business Unit B
Account E Second Organization Business Unit B
../../../_images/business-unit-ownership.png

The users can now access the accounts as described below:

John

Access Level Main Organization Second Organization
Business Unit
  • Account A
  • Account B
  • Account C
Division
  • Account A
  • Account B
  • Account C
Organization
  • Account A
  • Account B
  • Account C
  • Account D
  • Account E

Mary

Access Level Main Organization Second Organization
Business Unit
  • Account A
  • Account B
  • Account D
  • Account E
Division
  • Account A
  • Account B
  • Account D
  • Account E
  • Account C
Organization
  • Account A
  • Account B
  • Account D
  • Account E
  • Account C

Mike

The user Mark cannot log in to the Main Organization.

Access Level Second Organization
User
  • Account J
Business Unit
  • Account J
Division
  • Account J
Organization
  • Account J
  • Account F
  • Account E
  • Account C
  • Account D

Robert

Access Level Main Organization Second Organization
Business Unit
  • Account A
  • Account B
  • Account C
Division
  • Account A
  • Account B
  • Account C
Organization
  • Account A
  • Account B
  • Account C
  • Account D
  • Account E

Mark

The user Mark cannot log in to the Main Organization.

Access Level Second Organization
User
  • Account J
Business Unit
  • Account J
Division
  • Account J
Organization
  • Account J
  • Account F
  • Account E
  • Account C
  • Account D

Organization Ownership

When the ownership type is “Organization”, access cannot be granted on the user, business, or division levels. The minimum access level is the Organization level.

Imagine that the following data has been created:

Account Organization
Account A Main Organization
Account B Main Organization
Account C Second Organization
Account D Second Organization
Account E Second Organization
../../../_images/organization-ownership.png

The users can now access the accounts as described below:

John, Mary, Robert

Access Level Main Organization Second Organization
Organization
  • Account A
  • Account B
  • Account C
  • Account D
  • Account E

Mike, Mark

The users cannot log in to the Main Organization.

Access Level Second Organization
Organization
  • Account C
  • Account D
  • Account E