Basics about access functions per access area
An object that an operation in an access function can potentially operate on, often belongs to a specific organisation area, and occasionally to one or more of this organisation area’ subareas. For example, a group of agents always belongs to a specific organisation area, and potentially also to one or more subareas in that organisation area.
The fact that a user has an access role that contains a particular access function means that the user is granted the right to use a particular type of operation on a particular type of object. However, this does not generally mean that the user can use the operation on all objects of the type in question throughout the ACE installation. The objects which the operation can be carried out on are controlled and limited by the user’s access areas.
A user’s access areas comprise one or more organisation areas and subareas. A user’s access areas define which areas’ objects the user may work with. The access areas control which areas the user may configure and view statistics for. For information on how to view and change a user’s access areas, see the section on the User accounts menu choice
There are three types of access functions:
Access function | Gives the user the right to operate on: |
---|---|
Global | All objects, irrespective of which areas the objects belong to. The user’s access areas are thus of no consequence. |
Organisation area specific | Objects that are included in (belong to) the organisation areas in the user’s access areas. |
Organisation area and subarea specific | Objects that are included in the organisation areas in the user’s access areas. This access function also grants the right to use the corresponding operation on all objects that are included in the subareas in the user’s access areas. |
Global access functions are e.g. used for operations on objects for which there are no areas. The Execute send message access function has the send message object, for example, which in itself is a function in ACE and cannot be said to belong to any special area.
The access function is Own system global address book. A user with a role that contains this access function may create system global address books and modify and delete these independently of the user’s access areas.
The access function is Own address book for organisation area. This access function is organisation area specific. A user with a role that contains this access function may create, modify and delete address books of the type in question, if the address book belongs to an organisation area that is included in the user’s access areas. The user may not process those address books in organisation areas that are not included in his access areas.
Examples 3 to 5 below are based on the areas that are defined in the system being one organisation area (O), and two subareas (S1 and S2) in the organisation area. See the figure below. They are also based on having the Own user access function. This access function is of the Organisation area/subarea specific type, meaning that you may administrate a user if you have access to the organisation area or the subareas to which this user belongs. The examples relate exclusively to the opportunities for creating users.
Subareas S1 and S2 in organisation area O.
If you have access area O you may create users in the entire O, as well as in subareas belonging to O (S1 and S2).
If you only have access area S1 you may create users in S1 only.
If you have the access areas O and S1 the same as in Example 3 applies.