Skip to main content
Solved

How to configure User can restrict to see his only approval documents


Forum|alt.badge.img

Hello Community,

We have configured the Approval Maps for the Bills and Adjustments screen and it is working fine. However, the Approver is currently able to see other documents as well. How can we configure it so that the Approver only sees the documents that require their approval?

 

Any help highly appreciated!!

Best answer by aaghaei

@nsmith51 First activate the “Row-Level Security” in the “Enable/Disable Features” screen and then when it is enabled in your left main navigation panel, you can configure the Restricted Entities and set up the Restriction Profiles. In each of these screens if you click on the help icon (?) on the top right corner of your screen you can read through the help.

The only exception is Company/Branch. for this you will need to set up the User Roles “SM201005” (for example the group of companies that users should have access), assign the users to each Role, and then in Company/Branch screen you select the related “Access Role” for each company. Basically, you are educating the system what is the associated Role to each company and who are the users which are part of the role.

 

View original
Did this topic help you find an answer to your question?

6 replies

Laura02
Captain II
Forum|alt.badge.img+19
  • Captain II
  • 3101 replies
  • March 11, 2023

Hello,

It helps to know whether the approval map is routing the Bills to individual people or to a Workgroup (a node on the Company Tree).

If the approval is routed to individual people, there is a filter “@Me” on the My Approvals tab. If the approval is routed to the WorkGroup, there is a filter on the My WorkGroup tab. If you are using a Work Group then the User will see all approvals for the WorkGroups where she is a member.

Can you show the Rules of the Approval and the Filters on the tabs of Approval PL screen? Thanks.


Forum|alt.badge.img
  • Author
  • Jr Varsity III
  • 45 replies
  • March 11, 2023

Hi @Laura02  Thanks for the response.

But if I try to access the Bill document with DocType and RefNbr in the URL, approver can able to see the other documents as well.

https://InstanceURL/Main?CompanyID=Company&ScreenId=AP301000&DocType=INV&RefNbr=ER00000232

 

How can we restrict this?


aaghaei
Captain II
Forum|alt.badge.img+9
  • Captain II
  • 1169 replies
  • March 11, 2023

The short answer is if a user have access to a screen, you cannot prevent them from opening documents via url. They can open but they cannot perform unauthorized actions on documents. The only possible way to limit the access to some degree is row-level security on some applicable objects like Company, Branch and Vendor.


Forum|alt.badge.img
  • Author
  • Jr Varsity III
  • 45 replies
  • March 12, 2023

@aaghaei Understood. Can you please let me know how can we apply the row level security on Company, Branch and etc


aaghaei
Captain II
Forum|alt.badge.img+9
  • Captain II
  • 1169 replies
  • Answer
  • March 12, 2023

@nsmith51 First activate the “Row-Level Security” in the “Enable/Disable Features” screen and then when it is enabled in your left main navigation panel, you can configure the Restricted Entities and set up the Restriction Profiles. In each of these screens if you click on the help icon (?) on the top right corner of your screen you can read through the help.

The only exception is Company/Branch. for this you will need to set up the User Roles “SM201005” (for example the group of companies that users should have access), assign the users to each Role, and then in Company/Branch screen you select the related “Access Role” for each company. Basically, you are educating the system what is the associated Role to each company and who are the users which are part of the role.

 


nsmith51 wrote:

Hi @Laura02  Thanks for the response.

But if I try to access the Bill document with DocType and RefNbr in the URL, approver can able to see the other documents as well.

https://InstanceURL/Main?CompanyID=Company&ScreenId=AP301000&DocType=INV&RefNbr=ER00000232

 

How can we restrict this?

Took me week or so, but I have achieved something “acceptable” to prevent this.

        public PXApprovalProcessing<EPOwned, Where<True, Equal<True>>, OrderBy<Desc<EPOwned.docDate, Asc<EPOwned.approvalID>>>> Records;

protected virtual void APInvoice_RowSelected(PXCache cache, PXRowSelectedEventArgs e, PXRowSelected del)
        {
            if (del != null)
            {
                del(cache, e);
            }

            APInvoice row = (APInvoice)e.Row;
            if (row == null) return;

            var userName = Base.Accessinfo.UserName;
            var userID = Base.Accessinfo.UserID;

            List<UsersInRoles> userRoles = SelectFrom<UsersInRoles>
                                                .Where<UsersInRoles.username.IsEqual<@P.AsString>>
                                                .View.Select(Base, userName)
                                                .RowCast<UsersInRoles>().ToList();
            EPEmployee userEmployee = SelectFrom<EPEmployee>
                                            .Where<EPEmployee.userID.IsEqual<@P.AsGuid>>
                                            .View.Select(Base, userID);

            List<UsersInRoles> redirect = userRoles.Where(x => x.Rolename == "PURCHASING").ToList();
            List<ApproverEmployee> currentOwnwer = Base.Approval.Select().RowCast<ApproverEmployee>().ToList();


            List<EPOwned> invoices = Records.Select().RowCast<EPOwned>().ToList();

            bool ownsInvoice = invoices.Where(x => x.RefNoteID == row.NoteID).ToList().Count > 0;
            if(!ownsInvoice && Base.Accessinfo.ScreenID != "EP.50.30.10" && row.RefNbr != " <NEW>")

               {

                Base.Clear();
                Base.Document.AllowSelect = false;
                Base.Document.View.Clear();
                Base.Document.Cache.Clear();
                PopupNoteManager.Message = "Access Denied.";
                PopupNoteManager.ShowMessageAfterRedirect();

               }

          }

So… This code does some permission checking, and where the user came from to this Bill.

That in itself took me a while to figure out. The hard part was once a user typed in a URL they are not allowed to see, to get them to a “decent” page. All my PXRedirect attempts ended up on a spinning blue circle. The way here, results in on an Empty Bill that the user can not do anythign with, and a decent pop up, and Acumatica is responsive. 

I hope this is clear and helpful.

.a


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings