Utilizing Data Ownership Authorizations

• General authorizations and a license permit a user to access objects and all documents for the object.
• All created marketing documents are stored in the SAP Business One database, meaning that any user with the appropriate general authorization and license can access documents created by other users.
• This is not always desirable. Many companies want to restrict access on a more granular, need-to-know basis.
• Data ownership is not enabled in the system by default. But when you enable data ownership, access to other users' documents is restricted. Access to a document must be granted using data ownership authorizations:
  • Data ownership authorizations are different to general authorizations. Data ownership authorizations are granted through a user's relationship with the owner of a document, and these relationships are defined using employee master data. Therefore owners and users who need access must have an employee record
  • If a document has no owner then data ownership rules are ignored and any user can access the document.
• Note that super users are not restricted by data ownership. Super users can access all documents regardless of owner.

Who should be able to view and even update documents created by another user? These requirements will vary from company to company, and data ownership provides a flexible mechanism to address these requirements, based on employee relationships. Let's look at two very different examples from within the same company:

• A sales department requires that sales opportunities, quotations and sales orders should not be visible outside the sales department. In addition there is a need to restrict access within the sales department. In the slide example, Fred Revenue and Mary Discount are peers but they each want exclusive control over their own customers. Documents belonging to their customers or leads should not be accessible to peers. Only the manager of the sales team, George Profit, needs visibility to documents owned by Fred and Mary.
• In the same company, the purchasing department is very small and unlike the sales department, the purchasing documents and business partner information are shared within the team in order to support vendors and manage vendor negotiations. However, purchasing documents should not be visible to users outside the purchasing team.

If a company enables data ownership, a user is authorized through a defined relationship with the document owner. The possible relationships are:

• Peer: the user and the owner are considered peers if they share the same manager on their corresponding employee records. A user granted peer authorization can access documents provided they have the same manager as the owner.
• Manager: the owner is the user's manager per the manager field on the user's employee record. A user granted manager authorization can access documents owned by his or her direct manager.
• Subordinate: the user is the owner's manager per the manager field on the owner's employee record. A user granted subordinate authorization can access documents owned by his or her direct subordinates.
• Team: the user and the owner are members of the same team as defined in their employee records. A user granted team authorization can access documents owned by other members of the team.
• Department: the user and the owner are members of the same department as selected in their employee records. A user granted department authorization can access documents owned by other members of the department.
• Branch: the user and the owner are members of the same branch as selected in their employee records. A user granted branch authorization can access documents owned by other members of the same branch. If the multi-branch feature is enabled, you can select multiple branches for an employee. When a user is assigned to more than one branch and has data ownership authorization based on the branch relationship, the user can access documents owned by any users from the same branches.
• Company: A user granted company authorization can access the document regardless of owner, effectively bypassing data ownership for the document.

We will revisit these relationships later in this lesson.

• Employee master data is at the heart of data ownership authorizations. To be assigned as the owner of a document or master data record, a user must have an employee record. All users who need permission to access other user's documents need an employee record also.
• You can use employee master data to model the organization of a company. In the master data, you can specify information about an employee, including the employee's manager, department, branch, and membership of any teams within the organization. Note that the peer relationship is assumed if two or more employees have the same manager.
• In the sample master data for the sales manager George Profit we can see the name of his manager, his department, and any teams that he belongs to.

In this section we discuss the data ownership management methods available in SAP Business One.

• The owner of a document is assigned when the document is created, and depends on the data ownership method that a company has chosen.
• There are three methods to consider - business partner only, document only, or a combination of both. Only one method can be selected for the company.
• We will look at these methods in more detail.
• *Note: if the multiple branches functionality is enabled in the Company Details screen, there is a fourth option to manage data ownership by branch. With this option, a user is not given authorizations to specific documents; instead, authorization to access documents or business partner data is determined by the user's branch assignment. The branch method is not covered in this course.

• If the business partner only method is selected for a company, the business partner master data contains an owner field. The owner is set by the user who creates or updates the master data record. This owner will be then automatically assigned in all documents created for the business partner. Thus the documents inherit the owner from the master data.
• Users can only access the business partner master data and documents for that business partner if they have a defined relationship with the owner of the business partner master data. This method additionally restricts access to business partner master data when a user browses through records, or runs reports, or in choose from lists. The system will skip records if the user is not authorized by relationship with the business partner owner.
• If no owner is selected in the master data, data ownership rules are not enforced, and any user can access the master data and documents for the business partner.
• There is an option to enforce the selection of an owner when a user creates the business partner record. The default setting is not to enforce an owner, which provides some flexibility if a company wants to apply data ownership to customers but not to vendors. In this case an owner can be selected in customer records but left empty in vendor records.
• Note: The system will block removal of an employee record if the employee is set as the owner in business partner master data.

If the document only method is selected, the owner is assigned in each document, when the document is created, according to a set of rules. With this method, business partner information cannot be restricted and the business partner master data has no owner field.

Instead the owner field in each document is assigned by the system according to a series of rules:

• If the creator of the document does not have an employee record, an owner is not assigned by the system. If it has no owner, a document is not protected by data ownership. However, the owner can be manually selected by the document creator.
• If the creator has an employee record, and a sales employee or buyer is recorded in the business partner master data, and the sales employee or buyer has an employee record that is linked to their user account, the system assigns the sales employee or buyer as the owner of the document.
• If the creator has an employee record, and no sales employee or buyer is recorded in the business partner master data, then the system assigns the creator as the owner of the document.
• If the creator has an employee record, and a sales employee or buyer is recorded in the master data, but the sales employee or buyer does not have an employee record, then the system assigns the document creator as the owner in the document.

• The third method business partner and document is really a hybrid of the other two methods. The business partner master data has an owner field and this method allows a company to restrict access to both documents and business partner master data.
• When a business partner has an owner in the master data, data ownership works according to the business partner only method. The owner name from the master data will be automatically assigned to all documents for the business partner. Permissions to documents and master data are granted based on a user's relationship with the master data owner.
• When the business partner has no owner in the master data, the owner in a document is assigned according to the rules for the document only method. Permissions to documents are granted based on a user's relationship with the document owner (see previous slide). Be aware that this is different to the business partner only method, in which data ownership does not apply at all if the business partner has no owner.

• In addition to the owner field, a sales or purchasing document has a sales employee or buyer field. The sales employee or buyer for a sales or purchasing document is always assigned from the business partner master data. Note that the names of the sales employees and buyers are maintained in the Sales Employees/Buyers setup window.
• If the document only method is used, a sales employee or buyer will be assigned as document owner if the sales employee or buyer has an employee record linked to their user account.

The data ownership method for a company might be influenced by how the company works with its business partners. For example:

• If there is a person who has sole responsibility for a business partner then that person can be designated the exclusive owner of the business partner in the master data. If all other users who need access to the business partner and documents have one of the defined relationships to the owner, then the business partner only method can be chosen. Obviously the selection of the business partner owner is important to making this method work.
• If there is no single owner for a business partner because multiple users manage the business partner relationship, making it hard to specify an owner, then the document only method can be chosen. The business partner will not have an owner. A document owner will be assigned according to the rules and any user who needs access to documents for the business partner must have one of the defined relationships with the document owner.
• If the company has a mix of the above scenarios, the business partner and document method can be chosen. If some business partners have an exclusive owner, but some business partners do not, then this is an optimal method.

• Data ownership authorization is enabled in the General Settings on the BP tab. Once you enable data ownership, access restrictions are immediately enforced. Normal users have no access to other users' documents until they are given permissions.
• When you enable data ownership you select the method:
  • Document only
  • Business partner only
  • Business partner and document
• Note that the method can be instantly changed at any time from this window. If you do change the method, you may need to set the permissions for the new method.
• When the Business Partner Only method is selected, a further checkbox appears that allows business partners without an owner. If you uncheck this checkbox, the system will force the user to select an owner when they create new master data records for customers and vendors. If a business partner has no owner, data ownership rules will not apply to the business partner or to documents for the business partner.
• If you have enabled multiple branches in the Company Details screen, you will see a fourth option for managing data ownership - Branch. This should not be confused with the branch relationship in data ownership. If multiple branches is enabled and you select data ownership by branch, then user access to marketing documents, business partners, and reports is authorized through branch assignment. For example, a user is only able to access a business partner if both the user and the business partner are assigned to the correct branch. The branch data ownership method is not covered in this course.

The next part of this topic looks at the process for setting data ownership permissions.

• The data ownership authorizations window shows a list of all users who have employee records together with a matrix of predefined relationships. Note that the Document column varies according to the data ownership method.
• To assign an authorization, select the employee then select an authorization for the relationship that the employee has with the document owner/business partner owner. Possible authorizations are: full (read and update), read only, or none. The default is no access (none).
• Once set, the authorization applies to all documents in the future that meet the relationship.
• In the example the user Marc Manager is about to be granted full access to A/R invoice documents owned by his subordinates. Marc will have access to all future A/R invoices created by people who report to him.
• It is possible to assign authorizations that overlap. For example, Marc could also be assigned Read Only access to A/R invoices for the Department relationship. Since Marc's subordinates can also be in the same department, this might mean that Marc has both full access and read only access to the same documents. In this case the most generous authorization takes precedence, for example, full instead of read-only, or read only instead of none.

• If the method is business partner only, the Document column shows only two entries - business partner and purchase request. The purchase request document is included because it is the only document not associated with a business partner, therefore you must set authorizations specifically for this document type.
• On the business partner row, you assign permissions for each user according to their relationship with the owner of the business partner master data:
  • If read only authorization is granted for a relationship, and if the user has the required relationship to the owner, then the user can view the business partner master data in choose from lists, can view all documents for the business partner, and can view the business partner data and documents in various reports, for example, the Open Items List or Aging Reports.
  • If full authorization is granted, the user can in addition create and edit documents for the business partner, and update the master data.
  • Once a user is authorized, the user now has access to all business partner records and all documents where they have a relationship to the business partner owner.
• On the purchase request row, you assign permissions to each user by selecting their relationship to the owner of the purchase request document.
• In the example, George Profit is a sales manager and has:
  • Full access to documents and master data for business partners owned by the employees who report to him (subordinates)
  • Read only access to documents and master data for business partners owned by an employee in the same department
  • No access to documents and master data owned by his manager, his peers, branch or team
  • Full access to purchase request documents owned by subordinates, but no access to purchase requests owned by other employees.

• If the document only method is chosen, the Document column shows a full list of marketing document types. You assign authorizations to each selected user for each document type by selecting Full or Read Only or None (default) according to the user's relationship to the owner of the document. You make these selections for each document type.
• Being able to set permissions at the document type level enables a company to permit access to one document type but not to another. For example, you can permit access to sales orders but not to A/R invoices, even if both documents have the same owner.
• In the example, George Profit is a sales manager and has:
  • Full access to sales orders and A/R invoices owned by all employees who report to him (subordinates)
  • Read only access to sales orders and A/R invoices owned by any employees in the same department
  • No access to sales orders or A/R invoices owned by his peers, his manager, his branch or team.
• The full list of document types is not shown in this example.

• If the combined business partner and document method is chosen, the Document column shows a business partner row plus a row for each marketing document type, including the Purchase Request document:
  • On the business partner row, assign authorization to a user by selecting Full or Read Only or None (default) according to their relationship to the owner of the master data. If the business partner master data has an owner, the authorizations assigned on this row apply.
  • On the document rows, you assign authorization to a user by selecting Full or Read Only or None (default) according to the user's relationship to the owner of the document. If the business partner master data does not have an owner, the authorizations assigned on these rows apply.
• In this example the user George Profit has different authorizations depending if the master data contains an owner:
  • If there is an owner in the master data, George Profit has read only access to both documents and master data for business partners owned by subordinates
  • If there is no owner in the master data, George profit has full access to sales orders and A/R invoices owned by subordinates, and read only access to sales orders and A/R invoices owned by other people in the same department.

• If a selection of full or read only is made in the Company column for a user, this effectively grants the user full or read-only access to all documents regardless of owner, thus canceling out data ownership authorizations.
• An example of when this authorization might be used is for the company auditor who might need to access documents but does not have a defined relationship to the owners. You can simply grant this access to this one employee.
• The company relationship is available for all three methods.

• Once data ownership is enabled, a document that has an owner can only be accessed by the owner, a super user, or other users authorized by relationship to the owner
• For the business partner only method, the owner is assigned in the business partner master data and is inherited by all documents created for the business partner. There is an option to force the user to select an owner in the master data. Once permission is given by way of relationship to the business partner owner, a user can access all documents for that business partner. The exception is the purchase request document which has no business partner and therefore permissions must be granted to this document type.
• For the document only method, the owner is assigned to each individual document when it is created, according to a set of rules, and the owner can be different in documents for the same business partner.
• To permit access to a document, select read-only or full access for each user according to their relationship with the owner. The possible relationships are peer, manager, subordinate, department, branch and team. The company relationship gives a user read or full access to all business partners and documents (Business Partner only method) or to all documents for a selected document type (Document only method).
• Relationships are defined using employee master data, therefore all users, including owners and users who need access, must have an employee master record.

This section of the topic looks at options for overriding certain documents and reports from data ownership rules.

• The authorization permissions affect reports, Drag& Relate, and browsing through existing documents. While browsing, if the user encounters a document that is restricted by authorization, the system skips it or shows it as read only, depending on whether authorization was selected as none or read only.
• If a user does not have permission to a document, the document records will be skipped in the report or when the user browses through documents. For example, a user who runs the Open Items List report will only see the following documents in the report:
  • Documents that they own
  • Documents to which they have been granted data ownership permissions, or
  • Documents that have no owner
  • The system will skip other documents.
• If the business partner only method is in use, and a user does not have permission to the business partner owner, the business partner will not show in choose from lists.

Marketing documents can potentially have a header owner and a different row owner (the owner field appears in both the header and row of a document). The row owner field in a marketing document is not initially visible in the document row but can be made visible using form settings.

Normally the row owner defaults to the header owner, but it can happen that the owner of a row is different to the header owner. This could happen, for example as shown in the slide, if Michael Spear left the company and Bill Levine updated his document.

When you set data ownership authorizations for a document, the default owner is the owner of both the header and rows (Header and Row Owner). This permits a user to access a document if they have a relationship with either the header owner or the row owner. In the example here, any user can access this document if they are permitted and if they have a relationship with either Michael or Bill.

If a company wants to restrict the access relationship to just the header owner, they can do this using sharing options

Data ownership sharing options allow you to refine data ownership rules, temporarily or permanently, for a specific, named document type, report, or form.

The Documents tab shows a list of all marketing documents. Here you can override the data ownership rules set for a document in the Data Ownership Authorizations window:

• If you select Header Owner for a document type, instead of Header and Row Owner, this enforces data ownership by relationship to only the header owner. Users must have a defined relationship with the header owner, and are not permitted to access the document based on a relationship with only the row owner.
• If you select No Restriction for a document, this bypasses data ownership rules for all instances of the document type. An example might be to temporarily allow access to all A/R invoices to troubleshoot a problem.

The Windows tab is initially blank but you can select any form or report from the dropdown list and select either No Restriction or Header Owner:

• If you choose Header Owner, data ownership rules are enforced for the form or report with respect to the owner of the document header.
• If you choose No Restriction, all users will be able to view all records in the form or report, with no skipping of records. Data ownership is effectively bypassed for the form or report. An example might be to allow users to view all documents in the Open Items report or to view all business partners in the Aging Reports or Payment Wizard. The user does not need data ownership authorization to the business partners or documents. Note: Users have read only access to the business partners and documents.
• If a form or report is not selected in this tab, then data ownership rules will apply.
• Note that the dropdown list shows all forms in the system, many of which are not relevant for data ownership. You can type in the full or partial name of a form at the top of the dropdown list to quickly navigate through the list. Or you can open the form and use System Information to show the form number in the status bar.

• A business example for selecting Header Owner as the document owner might be a sales opportunity that is handled at different stages by different users. A company might want to limit which users have access to an opportunity that is being worked on by a team. The company can achieve this by setting a different owner for the header and the stage rows.
• Assume the header owner (Bill Levine) works in team A. The owner for the stage row works in team B.
• If data ownership access is granted to a user in team B based on the team relationship:
  • If the owner is selected as Header Owner, the user from team B will have no access to the sales opportunity because the user is in a different team to the header owner
  • If the owner is selected as Header and Row Owner, the user has access to the sales opportunity through the team relationship with the row owner. If the user's relationship is only with the row owner, the user can view but not update the document header, even if they have full permission.

The data ownership sharing options has different tabs depending on the data ownership method in use:

• If the document only method is in use, the Documents tab shows the list of marketing documents and you can bypass data ownership rules for any document by selecting No Restriction for the document. You can optionally select Header Owner to restrict access only to users with a relationship to the document header owner
• If the business partner only method is in use, the Documents tab will only show the purchase request document, since this document does not have a business partner owner. The actions on this document are the same as for the document only method
• If the business partner and document method is in use, the Documents tab is only relevant if the business partner does not have an owner in the master data.

• The Business Partner tab of the data ownership sharing window is only available for business partner only and business partner and document methods.
• This tab is not available for the document only method.
• The settings made on this tab apply only when the business partner master data has an owner:
  • The default setting in the owner column is business partner owner, meaning that the documents are subject to data ownership
  • The other setting is No Restriction which allows the bypass of data ownership rules. This might be useful to keep the system running without data ownership checks if an incorrect owner was selected in the master data that results in users being blocked.
• The full list of documents can be viewed by expanding the node for the business partner.
• Note that if the business partner and document method is in use and there is no owner for a business partner, the settings on the Documents tab will apply instead of the settings on this tab.

Here are some key points to take away from this session.

• General authorizations and a license permit a user to access objects and all documents for the object. This is not always desirable. Many companies want to restrict access on a more granular, need-to-know basis. An example might be a sales or purchasing department where all users have the same general authorizations and license, but where documents should not be visible to all users in the department.
• Data ownership is not enabled in the system by default. But when you enable data ownership, access to other users' documents is restricted. Access to a document must be granted using data ownership authorizations.
• Data ownership authorizations are different to general authorizations. Data ownership authorizations are based on a user's relationship with the owner of a document.
• Employee master data defines the relationship between owners and users who need to access documents. Employee master data enables you to define an organizational structure with reporting lines, teams, branches and departments.
• If a document has no owner then data ownership rules are ignored and any user can access the document.
• Super users are not restricted by data ownership and can access all documents regardless of owner.
• There are three data ownership methods which control how the owner is assigned in a document:
  • Business partner only: applies to documents and business partner master data and access is based on a user's relationship with the owner of the master data.
  • Document only: protects documents and access is based on a user's relationship with the owner of the document.
  • Business partner and document: is a hybrid. If there is an owner in the master data, the rules for the business partner only method are used. If there is no owner the rules for the document only method are used.
• Data ownership permissions are: None, Read-Only or Full. None is the default so all permissions must be explicitly defined for each user in the Data Ownership Authorizations window.
• Data ownership relationships with the owner can be: peer, team, manager, subordinate, branch, department or company.
• If data ownership is set for a user at the company level for a document or business partner, the user will have read-only or full access (as assigned) to all documents and/or all business partners. An example is to give an auditor read access to all documents.
• You can bypass data ownership for a document type, or for specified forms and reports, using the sharing options window.