Operator Groups
Exploring
Things you can do in this program include:
- Add a new operator group
- Maintain an existing operator group
- Copy an existing operator group
- Delete an existing operator group
Starting
You can restrict operator access to activities within a program (configured using the Operator Maintenance program).
- Changing the group to which an operator belongs does not affect that operator's existing access rights to Activities (Operator Maintenance).
- If the BOM Access to Structure & Routings operator activity is set to Denied (Operator Maintenance), then the operator won't be able to access the Structures and Routings program, regardless of your settings against the IMP012 (Structures and Routings) program here.
You can restrict operator access to the fields within a program (configured using the Operator Maintenance program).
- Changing the group to which an operator belongs does not affect the operator's existing access rights to Fields (Operator Maintenance).
You can restrict operator access to programs by assigning them to groups and applying access control against the group (configured using the Operator Groups program).
-
Operators assigned to a system administrator group have unrestricted access to the entire SYSPRO system and are not restricted by any program access. This applies across all companies.
When adding a group without system administrator rights, access defaults to being denied to all non-browse programs and Browse only access is ticked for all Browse programs.
- Denying a group of operators access to a program that appears in more than one module, effectively denies access to the program in all modules.
-
Where browse and maintenance programs are split into two programs, each has its own security access settings.
You need to consider this when setting the security for the maintenance program, as a situation could arise where the operator doesn't have access to the Browse program, but can run the maintenance program using the Run a Program function ( ).
So, if you want to deny access to the maintenance program, you need to set access to the Browse program as Browse only and access to the maintenance program as Denied.
When you allow full access to the browse program, then the Add, Change, Delete and other maintenance functions are enabled.
In addition, when the corresponding maintenance program is called, no further security checks are performed (i.e. calling the maintenance program from the browse program enables the Add, Change, Delete and other maintenance functions in the maintenance program without other program security checks).
-
When program access is defined by role (Role Program Access Maintenance) then only the Security options are applied from this program.
When an operator is part of a group that has System Administrator rights, the role settings are not applied to that operator.
For any module against which the option to automatically Post GL journals to the General Ledger is enabled (Setup Options > General Ledger Integration > General Ledger Codes) the security settings defined for the GL Integration programs are ignored by the system.
The sub-module journals are automatically posted by the following programs, even if the operator is denied access to these programs:
- AP Invoice GL Integration
- AP Payments GL Integration
- AR Invoice GL Integration
- AR Payments GL Integration
- Cash Book GL Integration
- Inventory GL Integration
- GRN GL Integration
- Asset GL Integration
- Trade Promotions GL Integration
- WIP Part Billings GL Integration
- WIP Labor GL Integration
Operators who are denied access to these programs won't be able to run them manually.
Solving
There are a number of scenarios that will prevent you from deleting a group:
- Operators are still linked to the group.
- The group is defined as a sub group for an operator (in which case you would need to remove the group from all operator sub groups).
The Allowed to logout users functionality is only available when allowed against the primary group of the operator (i.e. the logout hyperlinks are not available to sub groups).
Using
If an operator is attached to more than one group, then access is first verified against the primary group and then against each subgroup:
For non-browse programs:
-
If access is set to Allowed in any group, then the operator can run the program.
-
If access is set to Denied in all groups, then the operator cannot run the program.
For browse programs
-
If access is set to Allowed in any group, then the operator can run the program.
-
If access is set to Browse only in any group (and access is not set to Allowed against the program in any group) then the operator can view the information in the browse program, but cannot maintain it.
-
If access is set to Denied in all groups, then the operator cannot run the program.
-
Assigning access to programs in the Security Access pane can be done one program at a time, or for multiple programs.
Use the CTRL+mouse click or SHIFT+down arrow/up arrow keyboard controls to highlight a selection of programs.
Right-click the mouse on your highlighted selection to display a context menu that lets you allow/deny access to the programs.
The context menu also lets you set job logging on/off for all programs.
Referencing
Indicate the operator group you want to maintain.
This indicates the operator group code you entered.
This indicates the description for the operator group code.
This indicates whether you want to link a group of operators to a specific language code which lets you display text of standard SYSPRO reports in the language linked to that code.
{None} indicates that you don't require this feature.
This indicates that the operators assigned to this group have unrestricted access to the entire SYSPRO system.
This lets you indicate whether operators assigned to this group can log out users from the system.
This only applies to an operator's primary group, therefore the logout function is not available to any operator's sub groups.
This pane lets you assign program access levels for operators assigned to the group.
Details of SYSPRO modules and programs are displayed in an editable list view.
This grants operators in the group full access to all programs.
This denies operators in the group access to all programs (e.g. useful if you want to grant operators access to only a few of the programs in the list view. Then you can select the individual programs to which you want to grant the operators in the group full or browse-only access).
By default, Browse only access is enabled for a program to which full access has been denied.
This toggles the display of modules and their related programs in ascending or descending order in the list view.
This indicates the program code.
This indicates that the operators within the group have full access to the program, including access to the maintenance functions on browse programs.
The Job logging required option is automatically enabled if you have enabled the Job logging required setup option (Setup Options > Company > Options).
If you don't select this option, then operators within the group don't have access to the program and cannot run the program. However, for Browse type programs you can still give operators Browse only access.
This indicates that the program is a browse program.
Browse programs typically display information for key fields such as suppliers, customers, ledger codes, banks, currencies, stock codes, etc.
From the setup type browse programs, you can also select to maintain the information.
This indicates that the program is a non-browse program.
Non-browse programs typically enable you to process transactions, set options and perform functions such as paying a supplier, invoicing a customer, performing a stock take, etc
This indicates the module in which the program resides.
This indicates the program description.
This indicates whether the operators within the group have access to viewing information in the browse program only.
You can enable this option only if Yes is displayed in the Browse column for the program.
Access to the maintenance functions (e.g. add, change, delete) is disabled.
This indicates whether job logging is enabled for the group for that program.
Job logging can only be enabled if the Job logging required setup option is enabled (Setup Options > Company > Options) and you selected Allow Access against the program.