Troubleshooting Authorization Role Assignments

Parent Topic

Troubleshooting Authorization Role Assignments

When using the system, it may become apparent that certain users do not have the proper access to the system required for their job. They may not be able to view a specific screen and/or they may not have the needed level of permission to functionality. Conversely, they may have access to screens and/or levels of functionality they should not have. The following pages provide information to help resolve these issues.

Users may need assignments to more roles in addition to the ones they inherit through the Organization Unit screen.
- All the roles and policies currently assigned to an employee can be viewed on the Employee record>TCS screen>Employee Authorization Information Card.
- Roles can be assigned directly to an employee through the Roles screen in the employee record. For more information, see Steps for Adding an Employee-Level Role.
Users may need to have an assigned role deleted or denied. Roles assigned directly to the employee through their employee record can be deleted or denied. Roles inherited through the organization unit need to be re-assigned directly in the employee record and then denied there. For more information, see Steps for Deleting/Denying an Employee-Level Role
An existing (non-Standard) role may need to be updated to change the access level or functionality. Remember that any changes to a role will update the access for ALL employees assigned to that same role. Standard roles cannot be edited--a new role must be created and modified.
A new role may need to be created if none of the existing roles meet the needs for a particular user or groups of users. New roles can be created by adding a role or by replicating an existing role that has most of the required attributes, and then modifying it to change the access. A replicated role can also be replicated again, and modified to create another role with different attributes. For more information, see Steps for Adding a New Authorization Role and Steps for Replicating an Authorization Role.
Note: For authorization to be granted for any policy of the system, all necessary permissions must exist in one role. For example, there cannot be Read access on one role with the desired data access, but Edit access on another role which does not have the desired data access. Otherwise, the users will only have read access.

When troubleshooting any type of authorization issue, the first step is to treat each role as if it were the ONLY role to grant the user access to the feature, and then investigate the issue from that standpoint.

Related Reports and Screens:

The following reports/screens can also be used to troubleshoot issues with roles. Reports are located under the Reports section>System card. Click on the links below for more information on the report and a screen print of the report:

Authorization Control	This report shows all assigned policies for a given authorization role, and the levels of access for each policy.
Authorization Role Assignments	This report shows all the assignment roles and the users/employees assigned to that role.
Authorization Roles Assigned to a Policy	This report lists all the roles that grant access to a specific policy, including non-standard roles. The individual roles displayed in this report can be expanded to list the details of the policy.
Differences Between Authorization Roles	This report lists the policy differences between two selected authorization roles.
Employee Authorization Policy Report	This report lists the authorization policy information for the specified employee, indicating the level of access to each of the screens/fields allowed to the employee.
Policies Assigned to Role Without Parent Policies	This report lists policies where access is given to a screen or policy, but not to the "parent" policy. The parent policy is a policy that is listed at a higher structure level in the Role Authorization Control Hierarchy tree. Users may not be able to get to the screen they have permission to.
Authorization Assignment Audit Report	This report shows edits made to authorization assignment data during the indicated date range. Information includes new assignments and edits to assignments for roles. Note: This report is listed on the Audit card.
Employee Authorization Information Card	This screen shows the roles currently assigned to an employee. It also displays the policies assigned to an employee and the role(s) granting access to the policies.

The following topics are available on this page:

Authorization to Approve, Deny, or Cancel a Request

Denying Access to a Specific Section, Card, or Screen

Granting Access to a Required Screen

Setting Access to a Specific Field on a Record

Setting Read, Create, Edit, and/or Delete Access to Records

Setting Supervisor Approval Requirements of Employee-Submitted Transactions

Setting Validation Override Levels

Users Do Not Have Access to the Icon of a Parent Screen

The following related topics are available:

General

Authorization Controls

Level Assignments

Steps for Adding a New Authorization Role

Steps for Replicating an Authorization Role

Overriding Schedule Validation Exceptions