Skip to main content

We would like to restrict visibility of Requisitions for a user to only have permission to view their own requisitions (ie, they can not see reqs submitted by other users).

Is it possible to do this in Access Rights by Screen?

Hello,

Please vote for your idea here:

Possibly you could make the Requisition Number field View Only and remove access to paging buttons to prohibit navigation from User’s Own Requisition, using Access Rights by Screen or by User. We  can drill into the screen details and grant/revoke individual tabs and fields.

Laura


Hello,

Please vote for your idea here:

Possibly you could make the Requisition Number field View Only and remove access to paging buttons to prohibit navigation from User’s Own Requisition, using Access Rights by Screen or by User. We  can drill into the screen details and grant/revoke individual tabs and fields.

 

Thanks Laura, will give it an upvote.


Hello,

Please vote for your idea here:

Possibly you could make the Requisition Number field View Only and remove access to paging buttons to prohibit navigation from User’s Own Requisition, using Access Rights by Screen or by User. We  can drill into the screen details and grant/revoke individual tabs and fields.

Laura

Hi Laura,

I’m revisiting this as this issue has reared its head here again. :)

Our purchaser has informed me that in the past, our previous Acumatica admin had (somehow) set access rights so people could only view their own requisitions. Maybe they had accomplished this via access rights, or maybe they rewrote/customized things. I think the latest 23R2 upgrade defaulted us back to the default Requisition behavior.

If anyone has ideas on how to restrict Requisitions visibility so users can only view their own Reqs I’m all ears. :)


@swartzfeger not sure how you guys have made this work but I do not believe there is an out-of-the-box functionality. Possibly you had a custom code which is not functioning anymore somehow.

The thing is even if you put filters on GIs, when you open a record from the GI, then you can key in a RefNbr and platform will load it for you. Also a user can replace a RefNbr in the URL and hit the enter and navigate to the record they shouldn’t have access.

These two are known security issues even if you mange to limit the GIs somehow that itself needs some work. So I think the only available options are to either live with these known challenges or customize the engine so un-authorized records are filtered out. I know this for sure because a client of mine were sensitive about their AP Bills and Adjustments and we ended up customizing both the Bills Primary List and Data Screen for them so if someone is the Bill Owner (Created or Modified the Bill) or somehow is involved in Approval Process (Assigned To or Approved By) can see the Bills. I guess you will need a similar customization.


@swartzfeger not sure how you guys have made this work but I do not believe there is an out-of-the-box functionality. Possibly you had a custom code which is not functioning anymore somehow.

The thing is even if you put filters on GIs, when you open a record from the GI, then you can key in a RefNbr and platform will load it for you. Also a user can replace a RefNbr in the URL and hit the enter and navigate to the record they shouldn’t have access.

These two are known security issues even if you mange to limit the GIs somehow that itself needs some work. So I think the only available options are to either live with these known challenges or customize the engine so un-authorized records are filtered out. I know this for sure because a client of mine were sensitive about their AP Bills and Adjustments and we ended up customizing both the Bills Primary List and Data Screen for them so if someone is the Bill Owner (Created or Modified the Bill) or somehow is involved in Approval Process (Assigned To or Approved By) can see the Bills. I guess you will need a similar customization.

Thanks Reza, that confirms what I’ve found when attempting to filter and my own testing. A user can simply replace the ReqNbr in the URL.

I rewrote a GI to show only the user’s reqs, but then in that case they are unable to submit new reqs -- they still have to go to the default requisitions with full visibility anyway.

Hopefully Acumatica recognize the importance of this.


Reply