Permission Constraint Calculation Use Cases

The following use cases demonstrate how permission constraints are calculated when a user's permission constraints are merged between multiple roles or permissions.

Update user's constraint during role assignment

Constraint calculation for a given user and permission

Manager Role Constraints

All permissions within the system-defined Manager security role are automatically constrained to either "Restrict to User Self And Subordinates" or "Restrict to Subordinates." These constraints are invisible in the security role, but they will override any similar constraints which may be visible within the security role.

Some manager permissions are automatically constrained to Self and Subordinates while others are automatically constrained to Subordinates. Applying the Direct Subordinates constraint to a permission in this role that is automatically constrained to subordinates DOES NOT result in the manager being constrained to direct subordinates only.

If you need to provide specific managers with greater access:

  1. Edit the Manager role in Security Role Administration and remove the necessary permission.
  2. Create a new security role.
  3. Add the desired permissions to the new role (i.e., the permissions that were removed from the Manager security role).
  4. Set the appropriate constraints.
  5. Add the managers to the new security role with the 'Replace Constraints' option selected. Note: Adding more access to managers who have additional administrative access will require the Append option in order to retain their additional permissions and constraints.