Security roles are used to identify user groups that correspond with the levels of your approval processes. Additionally, roles are used to manage data access in your approvals. Users will only be able to approve or reject objects that they have permission to see.
It is possible to use preexisting security roles to set up your approvals; however, as approvals become more complex, attempting to use preexisting security roles for your approvals may become unnecessarily complicated or ineffective. Instead, consider creating custom security roles specifically for your approvals using The Roles Page.
Permission Inheritance
In older versions of the approval framework, all of the necessary functional and data access permissions had to be assigned to the roles used in approval definitions. As of Reserves 5.8.0, this is no longer the case. Now, each user included in an approval will inherit their functional and data access permissions from the sum of the roles they belong to — and not just the role used in the approval's definition.
For example, User A belongs to the following roles:
- Approval - Group 1: No permissions are explicitly assigned to this group.
- Func - Engineer: Allows users to access and work with various parts of the Reserves application, including the Approvals and Approval Data Submission pages.
- Data - Western Canada: Grants read/write access to western Canadian reservoirs.
If Approval - Group 1 is the only role assigned to a level of an approval definition, the permissions assigned to User A's other roles are inherited, and will control what User A can do in approvals that use the approval definition.
Users Assigned to Multiple Approval Definition Levels
If two or more of a user's roles have been assigned to different levels of an approval definition, the user will operate at the lowest possible approval level (to which one of their roles is assigned).
For example, User B belongs to the following roles:
- Approval - Group 1
- Func - Engineer
- Data - Western Canada
If an approval definition was created where the Approval - Group 1 role was assigned to the second level of the definition, and Func - Engineer was assigned to the fourth level of the approval definition, User B would operate as a second-level approver in all approvals that used the definition.
Functional Approval Permissions
Four permissions can be set to control access to approvals. Access The Security by Object Page and select Approval Configuration from the Object drop-down menu to modify these settings (visible below).
Modifying a Role's Data Access Permissions
When an object is submitted to an approval, a snapshot of the data access permissions that control who has access to the object will be stored in the approval's result set. This snapshot is preserved throughout the life of the approval, and can only be updated by resubmitting the object for approval.
Consequently, if you modify the data access permissions for a group role that affects users in an approval, any submitted objects that would be affected by the security change will need to be resubmitted before the change will take effect.