Employees and access

Everything for the employee setup is under Configuration and Employee Setup. You need to use most of these, but start with the groups you want to have and after that the access control you want to put in place for those rules. It's convenient to start with an Employee group and below that put more specialized groups. When you enter you start with adding the Employee group, and then the next one under that, for example Administration, setting the parent group to Employee. You can have as many levels of groups as you want and it's used for access so it's worth spending some time to think about it.

Then go to Access control list and add a rule, begin with adding a rule for the top level Employee group and set the Access to Allow, pick anything that you want everyone in the system to be able to use. Employees and Employees logged in are relatively safe in most environments for an example of what everyone can see.

Then save and add another rule, picking one of your real groups. Let's say we pick Administration and give those access to see Customers and all related items under that. Keep going for all rules.

Now add the employees, set the appropriate group you want. If you set the group to Administration the added employee will now have access to both the currently logged in persons as well as customer data. The Administration group inherits the access rights from the Employee group.

Having a well defined group structure makes it easier to handle access well, it's possible to change the structure of the groups, for example adding another layer between Administration and Employee without changing the access given, moving Administration to another place by changing it's parent might give the people in the Administration group more or less access.

Note

Access is granted from the top and down of the group tree, an Allow to see the currently logged in users in Employee can be reverted by having a Deny on a lower level group, and it can also be give back again at an even lower level.

It's possible for an employee to belong to more than one group, but if so take care not to get conflicting access rules. If there are two conflicting rules at the same level for two different groups either rule could be used, there's no way to know what rule will take effect.