About types of restriction groups

In this topic, you will find descriptions of the different types of restriction groups in Visma Net, the differences between these types, and usage examples.

Visma Net provides two basic types of restriction groups, A and B.
Restriction groups of both types can limit the visibility of system entities in a direct way (types A and B) and an inverse way (types A inverse and B inverse).
The differences between A and B and between A inverse and B inverse are in how these groups work if the same entity is added to multiple groups.

The following table summarises the types of restriction groups and describes how the visibility of entities is affected if a particular entity belongs to multiple groups of the type.

 
Group type Restriction Description
A Direct

Makes entities included in the group visible to users who are also included in the group.
Other users cannot view these entities.

When a particular entity belongs to multiple groups of type A, if you want a user to see this entity in the system, you add the user to at least one of these groups.
A inverse Inverse

Hides the entities included in the group from users who are also included in the group.
Users who are not assigned to this group can view and use the entities.

When a particular entity belongs to multiple groups of type A inverse, if you don't want a user to see this entity, you must include this user in each of these groups.

If you include the user in only one of the groups, he or she will see the entity in the system.
B Direct

Makes entities included in the group visible to users who are also included in the group.
Other users cannot view these entities.

When a particular entity belongs to multiple groups of type B, if you want a user to see this entity in the system, you need to include this user in each of these groups.
B inverse Inverse

Hides the entities included in the group from users who are also included in the group.
Users who are not assigned to this group can view and use the entities.

When a particular entity belongs to multiple groups of type B inverse, if you don't want a user to see this entity in the system, you include the user in at least one of these groups.

You use groups of types A or B or groups with direct restriction when you need to make entities visible to users within the group.
(For groups with only entities, the direct restriction group includes entities that must be used together.)

The following diagram shows how groups with direct restriction work.
In the diagram, you can see four users (for example, accountants) and six entities (for example, general ledger accounts). Initially, all users can see all accounts.

  • Group 1 is defined to include Users С and D and Accounts 1, 2, and 3.
    These accounts are visible to Users С and D and hidden from Users Y and Z.

  • Group 2 is defined to include Accounts 4, 5, and 6 and Users Y and Z.
    Users Y and Z can see Accounts 4, 5, and 6, and Users С and D cannot see these accounts.

You use groups of types A inverse or B inverse or groups with inverse restriction when you need to hide entities from a small number of users.
(For groups without users, an inverse restriction group includes entities that may not be used together.)

See the following diagram, which illustrates how groups with an inverse restriction work.

  • Group 1 is defined to include Users С and D and Accounts 1, 2, and 3.
    Accounts 1, 2, and 3 become invisible to Users С and D and remain visible to users Y and Z.

  • Group 2 is defined to include Accounts 4, 5, and 6 and Users Y and Z.
    This hides Accounts 4, 5, and 6 from Users Y and Z, but Users С and D still can see these accounts.

    The final visibility for groups with inverse restriction is the opposite of the final visibility for groups with direct restriction.

As you decide which type of restriction group best meets your security needs, consider the following recommendations:

  • When you create multiple groups with entities of the same combination of types, use groups of the same basic type (either A or B).
    For example if you have two restriction groups that include users and customers. Otherwise, if you were to add the same entity to multiple groups of different types, the result may not be what you expect.
  • To configure the required visibility of entities, you can combine direct and inverse restriction groups of the same basic type (either A or B). For an example of this, please see Usage example 2 in About types of restriction groups. Thus, you can combine groups of types A and A inverse, and groups of types B and B inverse.
  • If you want to hide particular entities from the majority of users, include the entities and the users who should see the entities in a group with direct restriction (type A or B).
  • If you want to hide particular entities from a small number of users, add the entities and the users who shouldn't see the entities to a group with inverse restriction (type A inverse or B inverse).

Related windows

Configure restriction groups