Users are only allowed to do things in the system according to their permissions.
What elements they get access to and what they are allowed to see/select/edit is determined by the permissions in interaction with the organizational unit selected in their user.
User
In our authorization system, users only act downwards or at the same level. This way, no one can exceed their authority.
Examples
Example A: My user is created on the top organizational unit Global. By my role I have the permission to:
Case 1 An application has been received for a job opening that is on the top-level organizational unit: Global. I can see the application. Case 2 An application has been received for a job opening that is on the middle organizational unit: Standort Hamburg. I can see the application. Case 3 An application has been received for a job opening that is on the middle organizational unit, Standort Berlin. I can see the application. Case 4 An application has been received for a job opening that is on the lowest organizational unit: Vertrieb. I can see the application. |
Example B: My user is created on the middle organizational unit Standort Hamburg. Through my role I have the authorization to
Case 1 An application has been received for a job opening that is on the top organizational unit: Global. I cannot see the application because my user can only see items at my organizational unit level or below. Case 2 An application has been received for a job opeing that is at the top organizational unit: Standort Hamburg. I can see the application. Case 3 An application has been received for a job opening that is on the middle organizational unit, Standort Berlin. Case 4 An application has been received for a job opening that is at the lowest organizational unit: Vertrieb. I can see the application because the organizational unit Vertrieb is below my user's Location level. |
The same is true for items such as correspondence templates, job advertisement templates, job publication templates, master data, and everything else. I can only access what is at my level or below for editing it with my user.
If I want to create a job opening, I can only do so at my organization level or below.
Systemelements
Elements that are created in the system inherit in exactly the opposite way to the permissions of the users. If a correspondence template is to be selectable in every organizational unit, it must be created globally. It is exactly the same with locations etc.
If a location sould be selectable everywhere, then it must be created at the global level.
Examples
|
In the System are the following Locations:
Hamburg: Organizational unit Global (Organizational level: Global)
München: Organizational unit Deutschland (Organizational level: Land)
New York: Organizational unit USA (Organizational level: Land)
Berlin: Organizational unit Standort Berlin (Organizational level: Standord)
Vertrieb: Organizational unit Vertrieb (Organizational level: Abteilung)
A) Job openings at Organizational unit Global
I can select the following locations: Hamburg
All other locations in the system are not selectable, because they were not created on the global organizational unit.
B) Job openings at Organizational unit Hamburg
I can select the following location: Hamburg, München
Also, I cannot select locations that are created at the organizational unit Abteilung because the organizational unit of the job opening is above it.
C)Job openings at Organizational unit Abteilung
I can select the following location: Hamburg, München, Berlin, Vertrieb
I can select all locations created from my organizational unit (Vertrieb), up to the top organizational level (Global).