Important

You are browsing upcoming documentation for version 5.1 of OroCommerce, OroCRM, and OroPlatform, scheduled for release in March 2023. Read version 5.0 (the latest LTS version) of the Oro documentation to get up-to-date information.

See our Release Process documentation for more information on the currently supported and upcoming releases.

Access Levels and Ownership (Example)

The following sections provide some insight into how the ACL checks work. Suppose there are two organizations, Main Organization and Second Organization. The Main Organization contains the Main Business Unit, Second Organization contains Second Business Unit. Child Business Unit is a subordinate of Second Business Unit. Additionally, the following users have been created:

User	Created in Organization	Created in Business Unit	Assigned to
John	Main Organization	Main Business Unit	Main Business Unit Child Business Unit
Mary	Main Organization	Main Business Unit	Main Business Unit Second Business Unit
Mike	Second Organization	Child Business Unit	Child Business Unit
Robert	Second Organization	Second Business Unit	Main Business Unit Second Business Unit
Mark	Second Organization	Second Business Unit

User Ownership

Imagine that each user created two accounts (one in Main Organization and one in Second Organization):

Created by	Main Organization	Second Organization
John	Account A	Account E
Mary	Account B	Account F
Mike	Account G	Account C
Robert	Account H	Account D
Mark	Account I	Account J

The users can now access the accounts depending on the organization context they login into as described below:

John

Access Level	Main Organization	Second Organization
User	Account A	Account E
Business Unit	Account A Account B Account H	Account E Account C
Division	Account A Account B Account H	Account E Account C
Organization	Account A Account B Account H Account G Account I	Account E Account C Account D Account F Account J

Mary

Access Level	Main Organization	Second Organization
User	Account B	Account F
Business Unit	Account B Account A Account H	Account F Account D
Division	Account B Account A Account H	Account F Account D Account C Account E
Organization	Account B Account A Account H Account G Account I	Account F Account D Account C Account E Account J

Mike

The user Mike cannot log in to the Main Organization.

Access Level	Second Organization
User	Account C
Business Unit	Account C Account E
Division	Account C Account E
Organization	Account C Account E Account D Account F Account J

Robert

Access Level	Main Organization	Second Organization
User	Account H	Account D
Business Unit	Account H Account A Account B	Account D Account F Account E
Division	Account H Account A Account B	Account D Account F Account E Account C
Organization	Account H Account A Account B Account G Account I	Account D Account F Account E Account C Account J

Mark

The user Mark cannot log in to the Main Organization.

Access Level	Second Organization
User	Account J
Business Unit	Account J
Division	Account J
Organization	Account J Account F Account E Account C Account D

Business Unit Ownership

When the ownership type is “Business Unit”, access cannot be granted on the user level. The minimum access level is the Business Unit level.

Imagine that the following data has been created:

Account	Organization	Business Unit
Account A	Main Organization	Business Unit A
Account B	Main Organization	Business Unit A
Account C	Second Organization	Business Unit C
Account D	Second Organization	Business Unit B
Account E	Second Organization	Business Unit B

../../../_images/business-unit-ownership.png

The users can now access the accounts as described below:

John

Access Level	Main Organization	Second Organization
Business Unit	Account A Account B	Account C
Division	Account A Account B	Account C
Organization	Account A Account B	Account C Account D Account E

Mary

Access Level	Main Organization	Second Organization
Business Unit	Account A Account B	Account D Account E
Division	Account A Account B	Account D Account E Account C
Organization	Account A Account B	Account D Account E Account C

Mike

The user Mark cannot log in to the Main Organization.

Access Level	Second Organization
User	Account J
Business Unit	Account J
Division	Account J
Organization	Account J Account F Account E Account C Account D

Robert

Access Level	Main Organization	Second Organization
Business Unit	Account A Account B	Account C
Division	Account A Account B	Account C
Organization	Account A Account B	Account C Account D Account E

Mark

The user Mark cannot log in to the Main Organization.

Access Level	Second Organization
User	Account J
Business Unit	Account J
Division	Account J
Organization	Account J Account F Account E Account C Account D

Organization Ownership

When the ownership type is “Organization”, access cannot be granted on the user, business, or division levels. The minimum access level is the Organization level.

Imagine that the following data has been created:

Account	Organization
Account A	Main Organization
Account B	Main Organization
Account C	Second Organization
Account D	Second Organization
Account E	Second Organization

../../../_images/organization-ownership.png

The users can now access the accounts as described below:

John, Mary, Robert

Access Level	Main Organization	Second Organization
Organization	Account A Account B	Account C Account D Account E

Mike, Mark

The users cannot log in to the Main Organization.

Access Level	Second Organization
Organization	Account C Account D Account E