By using this website, you agree to our Terms of Use (click here)
As a new Acumatica customer, we are preparing to move our corporate financials as our first step in migrating to Acumatica. In this process, we brought in a user from Finance to go through a dual entry style testing phase and ran into an access rights issue getting to the AR622000 report from the Receivables - Invoices and Memos screen.
We suspected that there might be an extra entry hiding in the site map somewhere that the automation step might have hit for checking access rights, but the database shows only 1 entry in the SiteMap table. The user has access to the report from the Receivables menu directly, but is denied when using the Report menu on the Invoices and Memos (AR301000) screen which is specifically defines the report menu definition in an automation step.
The Automation Step to add the report option is defined out of the box in 2018R1. Our admin user has no trouble with the access rights, but our finance user does. Can you point me to why the automation step entry for the Report menu in AR301000 does not allow access to the AR622000 report when the user CAN run it if they go directly to it through the menus? (i.e. Does the automation step hit some other permission we need to grant our locked-down user that an admin user has by default?)
Brian,
Please provide a screenshot of the automation step setup you are referencing.
Typically, automation steps execute menu options from a drop-down list within a master file screen (ex: Customer Master) or transaction screen (ex: invoice entry). This means the user needs access permissions to the reports drop-down and menu item as well as the actual report.
Thank you for your response. It sounds like you might have identified the spot that's causing the trouble, but I don't see the config issue. The Automation Step is from my development environment, but it is identical to the instance in question. The user's role is Corporate Finance.
Granting access to the menu makes sense as I remembered being able to adjust field level access of a screen. I didn't expect to find the report menu option from the Automation Step in the Access Rights by screen, but sure enough it was. However, everything looks to be "inherited" from the screen where the user can access AR Invoices and Memos as shown at the bottom of the above referenced image. Is this the right spot to look for what you are referencing?
Brian,
I agree with you, this sounds suspiciously like a security rights issue. When our customers run into challenges here, I always remind them that assigning security in Acumatica is as granular an exercise as any other system. One of the nuances with Acumatica is that if set rights for a role on any object, you by default revoke rights to every other role at that level and below. Therefore, if you define security for a role at a level, you need to do it for EVERY role that needs ANY level of access to that object and all lower level objects beneath it.
I would have you look at two things:
1) Find where you have granted rights to any person on the AR Invoice Entry screen or upstream from there. Then make sure that EVERY role that needs access to the screen have rights.
2) This also applies to the sub-objects. In this case, look at the inherited rights for the finance group under FINANCE/AR/Work Area/Enter/Invoice and Memos/AR Invoice/Reports - AR Register Details.
You are also correct to look at the access rights to the AR Register Details under FINANCE/AR/Reports/Audit/AR Register Details.
Keep the forum in the loop and we will continue to contribute. Be sure to post your resolution so others can learn from your journey.
We just checked the Access Rights by User on all 3 points and found the permissions are calculating out to Delete and Granted as applicable. We checked the tree for the user being blocked on the Report path, the Invoice/Memo screen path, and the menu path to the report under the Invoice/Memo screen. What you described makes perfect sense, but our user showing Calculated access as Delete and Granted on everything makes this more baffling that it doesn't work. We did change some of the inherited to specifically Delete, and it didn't fix the issue.
At this point, all I know to do is open a support case with Acumatica and send a snapshot. I'll be sure to post back the solution when we have it. If you have any other suggestions, we will be glad to try it on another snapshot while we wait for Acumatica support.
Shawn, you were right on it even though I didn't see what I missed. Acumatica support gave us simple instructions to resolve.
While we had checked the permissions on the menu paths, it seems we missed the top level Finance menu level. We did not need that to access the screens in Receivables or Payables, but we did have to grant access for the automation step menu option to work. The key for security was to NOT apply to children on the Finance level as we didn't want to grant access to anything else inadvertently.
I'm glad you got it tied down. Security is extremely granular. Only set security where it is absolutely needed and always start at the highest level possible. Like a lot of things in life, security rights role downhill!
Once set, establish settings for every role that needs access. Inherit = 'no access' security rights for all role on an object once security has been set for any single role.
Online Members
