About security of organisation branches

If your organisation has multiple branches defined in Visma.net ERP, you may need to control which employees get access to which branches. In this topic, you will read about ways to manage the security of a branch.

You can create and maintain multiple branches in your Visma.net ERP instance only if the Multi-branch support functionality is enabled in the Enable/disable functionalities (CS100000) window (for details, see: About multi-branch support).

Because branches share some data, you may also need to control access to the shared data.
Visma.net ERP provides user access roles, which you can use to control users' access to branches, and restriction groups to limit the visibility of shared data.

The most common scenarios of managing the security of company branches are the following:

  • Managing user access to branches
  • Managing the visibility of data shared between branches

The following table explains how to provide access to branches for users who will work in the system.

STEP ACTION
1 Go to the User roles (SM201005) window.
2 Create branch-specific user roles (one role per branch).
3 Assign these roles to user accounts.
For details on user roles, see: About role-based access.
4 Go to the Branches (CS102000) window.
5 Assign the roles to branches. That is, for each branch, in the Access role field, you select the user role created for this branch.

After assigning the first role

Once a role is assigned to one of the branches, other branches must also have roles assigned. A branch with no role assigned will be inaccessible to any user. To allow a user to access multiple branches, assign the roles for the branches to which the user should have access.

Access to branch data in windows

If a user, based on his or her role, has access to a data entry form where this user enters a document and specifies the branch of origin, only the branches to which the user has access are available on the drop-down list. The users who have access to multiple branches can select the specific branch from the Branches menu in the window's title toolbar and create documents on behalf of the selected branch.

No matter which branch users have access to, users who have access to the following windows, based on their roles, will see and work with all branches (because users configure system objects by using these windows):

Branches have some data shared between branches and some data kept as branch-specific (for details, see: About multi-branch support).

You may need to restrict the visibility of data that is shared but may contain sensitive information, such as general ledger accounts and subaccounts.

Visma.net ERP provides restriction groups so you can control which accounts and subaccounts are used with which branch.

For details on configuring restriction groups for accounts and subaccounts, see: About account and subaccount security.

In the following table, you can find the list of the windows that you can use to manage restriction groups with branches and the tasks that you can resolve by using each window.

 
Task Window
To initially configure the visibility of accounts by branches General ledger accounts by branch access (GL103040)
To initially configure the visibility of subaccounts (or subaccount segments) by branches Subaccounts by branch access (GL103060)
To change the visibility of system objects by a branch in multiple groups Restriction groups by branch (GL103020)

In Visma.net ERP, you can configure groups with direct and inverse restriction. In this topic, groups with direct restriction are used in examples for simplicity. You can use inverse restriction groups in the same way as you use direct restriction groups.

For details on the types of restriction groups, see: About types of restriction groups.

For information about how to add or remove objects from a restriction group, see: About operations with restriction groups.