Skip to main content
Solved

Limit requisition visibility to user


Forum|alt.badge.img

We would like to restrict visibility of Requisitions for a user to only have permission to view their own requisitions (ie, they can not see reqs submitted by other users).

Is it possible to do this in Access Rights by Screen?

Best answer by Laura02

Hello,

Please vote for your idea here:

https://community.acumatica.com/ideas/restrict-ability-of-requisition-entry-users-to-see-edit-other-users-requisitions-2425

Possibly you could make the Requisition Number field View Only and remove access to paging buttons to prohibit navigation from User’s Own Requisition, using Access Rights by Screen or by User. We  can drill into the screen details and grant/revoke individual tabs and fields.

Laura

View original
Did this topic help you find an answer to your question?

5 replies

Laura02
Captain II
Forum|alt.badge.img+19
  • Captain II
  • 3135 replies
  • Answer
  • October 19, 2023

Hello,

Please vote for your idea here:

https://community.acumatica.com/ideas/restrict-ability-of-requisition-entry-users-to-see-edit-other-users-requisitions-2425

Possibly you could make the Requisition Number field View Only and remove access to paging buttons to prohibit navigation from User’s Own Requisition, using Access Rights by Screen or by User. We  can drill into the screen details and grant/revoke individual tabs and fields.

Laura


Forum|alt.badge.img
  • Author
  • Freshman II
  • 129 replies
  • October 19, 2023
Laura02 wrote:

Hello,

Please vote for your idea here:

https://community.acumatica.com/ideas/restrict-ability-of-requisition-entry-users-to-see-edit-other-users-requisitions-2425

Possibly you could make the Requisition Number field View Only and remove access to paging buttons to prohibit navigation from User’s Own Requisition, using Access Rights by Screen or by User. We  can drill into the screen details and grant/revoke individual tabs and fields.

 

Thanks Laura, will give it an upvote.


Forum|alt.badge.img
  • Author
  • Freshman II
  • 129 replies
  • July 9, 2024
Laura02 wrote:

Hello,

Please vote for your idea here:

https://community.acumatica.com/ideas/restrict-ability-of-requisition-entry-users-to-see-edit-other-users-requisitions-2425

Possibly you could make the Requisition Number field View Only and remove access to paging buttons to prohibit navigation from User’s Own Requisition, using Access Rights by Screen or by User. We  can drill into the screen details and grant/revoke individual tabs and fields.

Laura

Hi Laura,

I’m revisiting this as this issue has reared its head here again. :)

Our purchaser has informed me that in the past, our previous Acumatica admin had (somehow) set access rights so people could only view their own requisitions. Maybe they had accomplished this via access rights, or maybe they rewrote/customized things. I think the latest 23R2 upgrade defaulted us back to the default Requisition behavior.

If anyone has ideas on how to restrict Requisitions visibility so users can only view their own Reqs I’m all ears. :)


aaghaei
Captain II
Forum|alt.badge.img+9
  • Captain II
  • 1178 replies
  • July 10, 2024

@swartzfeger not sure how you guys have made this work but I do not believe there is an out-of-the-box functionality. Possibly you had a custom code which is not functioning anymore somehow.

The thing is even if you put filters on GIs, when you open a record from the GI, then you can key in a RefNbr and platform will load it for you. Also a user can replace a RefNbr in the URL and hit the enter and navigate to the record they shouldn’t have access.

These two are known security issues even if you mange to limit the GIs somehow that itself needs some work. So I think the only available options are to either live with these known challenges or customize the engine so un-authorized records are filtered out. I know this for sure because a client of mine were sensitive about their AP Bills and Adjustments and we ended up customizing both the Bills Primary List and Data Screen for them so if someone is the Bill Owner (Created or Modified the Bill) or somehow is involved in Approval Process (Assigned To or Approved By) can see the Bills. I guess you will need a similar customization.


Forum|alt.badge.img
  • Author
  • Freshman II
  • 129 replies
  • July 10, 2024
aaghaei wrote:

@swartzfeger not sure how you guys have made this work but I do not believe there is an out-of-the-box functionality. Possibly you had a custom code which is not functioning anymore somehow.

The thing is even if you put filters on GIs, when you open a record from the GI, then you can key in a RefNbr and platform will load it for you. Also a user can replace a RefNbr in the URL and hit the enter and navigate to the record they shouldn’t have access.

These two are known security issues even if you mange to limit the GIs somehow that itself needs some work. So I think the only available options are to either live with these known challenges or customize the engine so un-authorized records are filtered out. I know this for sure because a client of mine were sensitive about their AP Bills and Adjustments and we ended up customizing both the Bills Primary List and Data Screen for them so if someone is the Bill Owner (Created or Modified the Bill) or somehow is involved in Approval Process (Assigned To or Approved By) can see the Bills. I guess you will need a similar customization.

Thanks Reza, that confirms what I’ve found when attempting to filter and my own testing. A user can simply replace the ReqNbr in the URL.

I rewrote a GI to show only the user’s reqs, but then in that case they are unable to submit new reqs -- they still have to go to the default requisitions with full visibility anyway.

Hopefully Acumatica recognize the importance of this.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings