The following use cases demonstrate how permission constraints are calculated when a user's permission constraints are merged between multiple roles or permissions.
Update user's constraint during role assignment
Example 1
- Role A has "Manage Org Unit" permission with OU constraint to Division "Tech."
- Role B has "Manage Org Unit" permission with no constraint.
Case 1: User is assigned to Role A first. Then, user is assigned to Role B with constraint merge type: "Append."
- User has OU constraint to Division "Tech."
Case 2: User is assigned to Role A first. Then, user is assigned to Role B with constraint merge type: "Replace."
- User has no constraint.
Case 3: User is assigned to Role A first. Then, user is assigned to Role B with constraint merge type: "Do not modify."
- User has OU constraint to Division "Tech."
Case 4: User is assigned to Role B first. Then, user is assigned to Role A with any constraint merge type.
- User has no constraint.
Example 2
- Role A has "Manage Org Unit" permission with OU constraint to Division "Tech."
- Role B has "Manage Org Unit" permission with OU constraint to Location "Santa Monica."
Case 1: User is assigned to Role A first. Then, user is assigned to Role B with constraint merge type: "Append."
- User has OU constraint to Division "Tech" or Location "Santa Monica."
Case 2: User is assigned to Role A first. Then, user is assigned to Role B with constraint merge type: "Replace."
- User has OU constraint to Location "Santa Monica."
Case 3: User is assigned to Role A first. Then, user is assigned to Role B with constraint merge type: "Do not modify."
- User has OU constraint to Division "Tech."
Case 4: User is assigned to Role B first. Then, user is assigned to Role A with constraint merge type: "Append."
- User has OU constraint to Division "Tech" or Location "Santa Monica."
Case 5: User is assigned to Role B first. Then, user is assigned to Role A with constraint merge type: "Replace."
- User has OU constraint to Division "Tech."
Case 6: User is assigned to Role B first. Then, user is assigned to Role A with constraint merge type: "Do not modify."
- User has OU constraint to Location "Santa Monica."
Constraint calculation for a given user and permission
Example 1
User has "Global Search - People" permission from assignable role with no constraint.
User has "Global Search - People" permission from "Manager" role with constraint to subordinates.
Result: User has no constraint.
Example 2
User has "Global Search - People" permission from assignable role with OU constraint to Division "Tech."
User has "Global Search - People" permission from "Approver" role with no constraint.
Result: User has OU constraint to Division "Tech."
Example 3
User has "Global Search - People" permission from assignable role with User constraint to subordinates.
User has "Global Search - People" permission from "Approver" role with OU constraint to Division "Tech."
Result: User has User constraint to subordinates or OU constraint to Division "Tech."
Example 4
User has "Global Search - People" permission from assignable role with OU constraint to Division "Tech."
User has "Global Search - People" permission from "Manager" role with constraint to subordinates.
Result: User has OU constraint to Division "Tech" or user's subordinates.
Manager Role Constraints
All permissions within the system-defined Manager security role are automatically constrained to either "Restrict to User Self And Subordinates" or "Restrict to Subordinates." These constraints are invisible in the security role, but they will override any similar constraints which may be visible within the security role.
Some manager permissions are automatically constrained to Self and Subordinates while others are automatically constrained to Subordinates. Applying the Direct Subordinates constraint to a permission in this role that is automatically constrained to subordinates DOES NOT result in the manager being constrained to direct subordinates only.
If you need to provide specific managers with greater access:
- Edit the Manager role in Security Role Administration and remove the necessary permission.
- Create a new security role.
- Add the desired permissions to the new role (i.e., the permissions that were removed from the Manager security role).
- Set the appropriate constraints.
- Add the managers to the new security role with the 'Replace Constraints' option selected. Note: Adding more access to managers who have additional administrative access will require the Append option in order to retain their additional permissions and constraints.