Skip to main content
Solved

Prevent SO Invoice release by Access Rights


Forum|alt.badge.img


 

I have Access Rights by Role set up.  I’m trying to find where to prevent the release of SO Invoices and AR invoices by this role.  I have done revoked on every “Release” I can find related to invoices and can’t seem to get it. 

Best answer by Laura02

Hello @travislawson ,

I’m following @Robert Sternberg ‘s answer, because I want to understand the steps for next time.

I’d like to add a little more detail because it was a bit tricky to get this to work, even knowing Robert’s steps. 🤔 

Robert suggested → Laura Added:

In the folder structure find:

  • Sales Orders → Set this Level to GRANTED
    • Invoices → Set this Level to DELETE
      • AR Invoice/Memo → Set this Level to DELETE
        • Release → Set this Level to REVOKED

Good luck,

 

Laura

View original

Robert Sternberg
Captain II
Forum|alt.badge.img+8

Hi @travislawson follow the steps below to remove access. 

 

Navigate to Access Rights by Screen

In the folder structure find:

  • Sales Orders
    • Invoices
      • AR Invoice/Memo
        • Release

Set the role needing the restriction to ‘Revoked’ 

 

Hope this helps!


Laura02
Captain II
Forum|alt.badge.img+19
  • Captain II
  • October 27, 2023

Hello @travislawson ,

I’m following @Robert Sternberg ‘s answer, because I want to understand the steps for next time.

I’d like to add a little more detail because it was a bit tricky to get this to work, even knowing Robert’s steps. 🤔 

Robert suggested → Laura Added:

In the folder structure find:

  • Sales Orders → Set this Level to GRANTED
    • Invoices → Set this Level to DELETE
      • AR Invoice/Memo → Set this Level to DELETE
        • Release → Set this Level to REVOKED

Good luck,

 

Laura


Robert Sternberg
Captain II
Forum|alt.badge.img+8

Thanks @Laura02 for adding some clarity (and color)!  In case anyone is wondering why you need to set each level - it is built into Acumatica’s access right structure. 

To become more specific at lower levels “Inherited” must not be present at higher levels, at higher levels you must explicitly set an Access Right (Granted, Revoked, Delete, Edit, or View Only). 

In our example that means Sales Orders, Invoices, and AR Invoice/Memo levels must be explicit and not “Inherited” to allow for Release to be explicitly set to Revoked

 

Access rights are tricky and take some practice, Laura had a great test setup where a new role of “No Release SO Invoice” was created specifically to test this function.  

 

Also please keep in mind when you set an access right at the Action/Field level it takes precedence over other roles.  Acumatica’s typical structure is “give the user the most permissions available to them based on their assigned roles” that no longer applies and switches to “give the user the most specific permissions available to their assigned roles” when you add access rights at this lowest level. 


Forum|alt.badge.img

Thank you @Robert Sternberg and @Laura02.  Worked perfectly and I think I have a better understanding of the permissions.


Forum|alt.badge.img
Robert Sternberg wrote:

Also please keep in mind when you set an access right at the Action/Field level it takes precedence over other roles.  Acumatica’s typical structure is “give the user the most permissions available to them based on their assigned roles” that no longer applies and switches to “give the user the most specific permissions available to their assigned roles” when you add access rights at this lowest level. 

 

 

Wanted to expand on this a little.  I have a user that has two roles.  One role had the specific permissions to prevent the release of the SO Invoice but the other had Invoices set as Delete and everything else left inherited.  It did block them from releasing the invoice.  I had to dive down into the hierarchy and set them specifically to allow them to release the invoice. 

Odd behavior in a way since it was inherited.  Shouldn’t seem like I would have to do it so granular to reverse the Revoked on the other role. 

 

 


Robert Sternberg
Captain II
Forum|alt.badge.img+8

@travislawson Hi Travis, yes what you experienced is expected.  When Access Rights are assigned at a more granular level the inherited label on other roles is equivalent to ‘not set’ this is a little tricky and I believe there have been some Acumatica ‘ideas’ in the past on how to display this nuance.  

Definitely takes practice, use the ‘Access Rights by User’ screen and test roles until you are comfortable.  My personal advise is to limit the usage of granular roles at the Field/Action level to prevent to ongoing maintenance of Access Rights. 

Hope this helps!


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings