Manage visibility with restriction groups

Manage visibility with restriction groups /visma-net-erp/help/access-management/row-level-security/manage-visibility-with-restriction-groups section In Visma Net, you can use restriction groups in addition to role-based access rights to configure the security of information within the system. 2026-02-19T17:09:06+01:00 # Manage visibility with restriction groups In Visma Net, you can use restriction groups in addition to role-based access rights to configure the security of information within the system. In Visma Net, you can use restriction groups in addition to role-based access rights to configure the security of information within the system. In these topics you will read about different ways of using restriction groups and specific information about particular entities whose visibility you can control. About account and subaccount security /visma-net-erp/help/access-management/row-level-security/manage-visibility-with-restriction-groups/about-account-and-subaccount-security page In Visma Net, you can control which users will use particular general ledger accounts and subaccounts. 2026-02-19T17:09:06+01:00 # About account and subaccount security In Visma Net, you can control which users will use particular general ledger accounts and subaccounts. To configure the security of general ledger accounts and subaccounts, you can use a combination of user roles and restriction groups. By using user roles, you can configure the access of users to branches and to all branch-specific accounts and subaccounts. With restriction groups, you can set up the visibility of particular accounts and subaccounts within branches and for certain users, and you can limit the use of subaccounts with particular accounts. ## Most common scenarios with accounts and subaccounts In this topic, you will read about using restriction groups and branch-specific roles to configure and manage the security of accounts and subaccounts. The sections below describe in detail the most common scenarios of managing the security of accounts and subaccounts. These are: + Managing the visibility by branch + Managing the visibility by user + Managing the visibility of subaccounts by account + Adding the needed objects to one restriction group to control visibility by multiple factors ## Managing the visibility by branch When your organisation consists of multiple branches (and you have created multiple branches in Visma Net ), you can configure the system so that it narrows the lists of accounts and subaccounts by branch on data entry forms. You can configure and use the restriction groups that include branches only if the **Multi-branch support** functionality is enabled in the [Enable/disable functionalities (CS100000)](/visma-net-erp/help/common-settings/enable-or-disable-functionalites/enable-disable-functionalities-cs100000/) window. ### SCENARIO Suppose that your organisation has two branches, the Headquarters office ( **HQ** in the system) and the Regional sales office ( **RS** ). The accounting department processes documents for both branches. The following table explains how to configure the visibility restrictions of accounts and subaccounts by branch.

STEP	ACTION
1	Configure user roles for each branch (for example, Branch HQ and Branch RS ).
2	Assign both roles to the user accounts of the accountants. Result: The accountants will see information for both branches in Visma Net.
3	In the General ledger accounts by branch access (GL103040) window: create two restriction groups of type A with direct restriction: the HQ Accounts group for the Headquarters office and the RS Accounts group for the Regional sales office. In the HQ Accounts group, include the Headquarters branch ( HQ ) and the accounts that should be visible within the HQ branch. In the RS Accounts group, include the Regional sales branch ( RS ) and the accounts specific to the RS branch.
4	In the Subaccounts by branch access (GL103060) window: create two restriction groups of type A with direct restriction: the HQ subaccounts group for the Headquarters office and the RS subaccounts group for the Regional sales office. In the HQ subaccounts group, include the HQ branch and the subaccounts that should be visible within this branch. In the RS subaccounts group, include the RS branch and the subaccounts specific to this branch.
5	Result: The system will narrow the lists of accounts or the list of subaccounts in data entry windows after a user selects a branch.

### Resulting visibility Suppose that an accountant is adding an invoice in the [Purchase invoices (AP301000)](/visma-net-erp/help/supplier-ledger/supplier-ledger-windows/purchase-invoices-ap301000/) window and selects the **HQ** branch in the **Branch** column of the **Document details** tab. The accountant will only see accounts added to the **HQ accounts** restriction group. ## Managing the visibility by user If your organisation has sensitive general ledger accounts and subaccounts, you can provide the visibility of these objects to only a limited set of users. For performance reasons, visibility restrictions by user for subaccounts do not affect analytical (ARM) and window-based reports or general inquiries. This means that users who can view the reports and general inquiries that include subaccounts will see the full list of subaccounts. ### SCENARIO 1 Suppose that only a chief accountant of your organisation can work with the tax payable account. The following table explains how to make this account visible only to the chief accountant.

STEP	ACTION
1	Go to the General ledger account access (GL104000) window.
2	Create a restriction group (for example, Access to VAT payable account ) with direct restriction.
3	Add the user account of the chief accountant to the group.
4	Add the tax account to the group.

### SCENARIO 2 Suppose that the subaccount for the financial department can be used only by accountants (and not by other users). The following table explains how to make this subaccount visible only to accountants. |STEP|ACTION| |---|---| |1|Go to the [General ledger account access (GL104000)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/general-ledger-account-access-gl104000/) window.| |2|Create a restriction group (for example, **Access to financial subaccount** ) with direct restriction.| |3|Add the user accounts of the accountants to the group.| |4|Add the subaccount for the financial department to the group.| ## Managing the visibility of subaccounts by account You can specify which subaccounts can be used with only a particular account in windows in Visma Net. This means that only the specified subaccounts will appear for selection if that account is selected. This limitation will help users to avoid errors when they select accounts and subaccounts in windows. If you are using restriction groups to control the accounts and subaccounts that can be used together, you must create at least two groups and include all subaccounts in either of the groups. ### SCENARIO Suppose that you need to restrict visibility of subaccounts for only one account. The following table explains how to solve this task. |STEP|ACTION| |---|---| |1|Create two restriction groups.| |2|In the first group with **direct** restriction, include a general ledger account and the list of subaccounts that should be related to this account.| |3|In the second group with **inverse** restriction, include the same account and subaccounts that should not be displayed after users select this account.| |4|**Result**: When users select the account in a window, they will see only one of the subaccounts included in the first group.| ### PRACTICAL EXAMPLE Suppose that the ELE-000 subaccount, which is used for electronics and computers, should be visible only after a user has selected the 12100 warehouse account, and the NSS-000 subaccount should be related to the 12200 warehouse account. The following table explains how to restrict the visibility of the subaccounts by account in this particular case. |STEP|ACTION| |---|---| |1|Go to the [General ledger account access (GL104000)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/general-ledger-account-access-gl104000/) window.| |2|Create the restriction group Stock item subaccounts and include the **12100** warehouse account and the **ELE-000** subaccount.| |3|Create the restriction group Non-stock item subaccounts and include the **12200** warehouse account and the **NSS-000** subaccount.| ## Visibility of accounts, subaccounts, and users If you need to limit the users who use sensitive accounts, and only particular subaccounts must be used with these sensitive accounts, you can configure restriction groups to address this task. To implement this functionality, you need to add users, accounts, and subaccounts (or subaccount segments) to the same group. ### SCENARIO Suppose that the ELE-000 (electronics and computers) and FUR-000 (furniture) subaccounts should be visible only if a user has selected the 12100 warehouse account, and that only the warehouse workers User Y and User Z should work with these accounts and subaccounts. The following table explains how to restrict the visibility in this case.

STEP	ACTION
1	Go to the General ledger account access (GL104000) window.
2	Create a restriction group, for example Restriction of warehouse accounts.
3	Add the 12100 warehouse account to the group.
4	Add the ELE-000 and FUR-000 subaccounts to the group.
5	Add User Y and User Z to the group.
6	Result: User Y and User Z will only be able to select subaccounts ELE-000 and FUR-000 in combination with warehouse account 12100 when processing a document.

## Subaccount segment values If the **By segment: all avail. segment values** lookup mode is selected in the [Segment keys (CS202000)](/visma-net-erp/help/common-settings/common-settings-windows/segment-keys-cs202000/) window for the **SUBACCOUNT** segmented key (that is, if the users of your Visma Net instance enter subaccounts by segments in windows), you manage the security of subaccount segments instead of entire subaccounts. In this case, you need to add all subaccount segments, that form a subaccount whose visibility should be restricted, to a restriction group. ## Cash account security Cash accounts are one type of sensitive accounts that you may need to secure in the system. The ways of managing the security of cash accounts differ from the ways of managing the security of general ledger accounts. For more information, see: [About the security of cash accounts](/visma-net-erp/help/cash-management/configure-cash-accounts/about-the-security-of-cash-accounts/). ## Windows for account and subaccount security In the following table, you can find the list of windows that you can use to manage restriction groups with accounts, subaccounts, and subaccount segments, and tasks that you can resolve by using each window. |Task|Window| |---|---| |To initially configure the visibility of accounts and subaccounts (or subaccount segments) to users.|[General ledger account access (GL104000)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/general-ledger-account-access-gl104000/)| |To initially configure the visibility of accounts by branches.|[General ledger accounts by branch access (GL103040)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/general-ledger-accounts-by-branch-access-gl103040/)| |To initially configure the visibility of subaccounts (or subaccount segments) by branches.|[Subaccounts by branch access (GL103060)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/subaccounts-by-branch-access-gl103060/)| |To change the visibility of an account in multiple restriction groups.|[Restriction groups by general ledger account (GL104020)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-general-ledger-account-gl104020/)| |To change the visibility of a subaccount in multiple restriction groups.|[Restriction groups by subaccount (GL104030)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-subaccount-gl104030/)| |To change the visibility of a subaccount segment in multiple restriction groups.|[Restriction groups by sub segment (GL104040)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-sub-segment-gl104040/)| |To change the visibility of system objects by a user in multiple restriction groups.|[Restriction groups by user (SM201035)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-user-sm201035/)| |To change the visibility of system objects by a branch in multiple restriction groups.|[Restriction groups by branch (GL103020)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-branch-gl103020/)| For information about how to add or remove objects from a restriction group, see: [About operations with restriction groups](/visma-net-erp/help/access-management/row-level-security/configure-restriction-groups/about-operations-with-restriction-groups/).

Concepts

About security of cash accounts /visma-net-erp/help/access-management/row-level-security/manage-visibility-with-restriction-groups/about-security-of-cash-accounts page Cash is a company's most liquid asset, which is why an organisation must have adequate controls to secure it. 2026-02-19T17:09:06+01:00 # About security of cash accounts Cash is a company's most liquid asset, which is why an organisation must have adequate controls to secure it. In Visma Net, you can control which users can view which particular cash accounts. In this topic the following scenarios of managing the security of cash accounts are described: + Managing the visibility by branch. + Managing the visibility by user. ## Multiple branches vs. single branch organisations If your organisation consists of multiple branches, you can allow users in each branch to work with only branch-specific cash accounts. You can only configure multiple branches if the **Multi-branch support** functionality is enabled in the [Enable/disable functionalities (CS100000)](/visma-net-erp/help/common-settings/enable-or-disable-functionalites/enable-disable-functionalities-cs100000/) window. If the **Multi-branch support** functionality is disabled, all cash accounts belong to a single branch and are visible to all users who are allowed to view the accounts, based on their membership in restriction groups. ## Visibility of cash accounts by branch The visibility of a cash account can be restricted based on the branch the account belongs to. Consider a user who is allowed to view multiple branches due to this user's assigned branch roles. On the data entry forms, this user can view the cash accounts of all the branches this user is allowed to view, based on the branch selected in the **Branch** field of the data entry form. This field is filled by default with the branch to which the user is currently signed in. The following steps describe how to restrict the visibility of a cash account by the branch.

STEP	ACTION
1	Go to the Enable/disable functionalities (CS100000) window.
2	Enable the Inter-branch transactions functionality, which gives you the ability to configure the automatic generation of inter-branch transactions for each document that involves multiple branches. Result: The Restrict visibility with branch check box appears in the Cash accounts (CA202000) window.
3	Go to the Cash accounts (CA202000) window.
4	Select a cash account.
5	Select the Restrict visibility with branch check box.
6	Save your changes.

Repeat steps 4-6 for each cash account whose visibility you want to control. ### Resulting visibility The table below explains how cash account access varies based on the selection of the checkbox **Restrict visibility with branch** in the [Cash accounts (CA202000)](/visma-net-erp/help/cash-management/cash-management-windows/cash-accounts-ca202000/) window. |SCENARIO|VISIBILITY OF CASH ACCOUNT| |---|---| |Check box selected for a cash account|Visible to users selecting the specified branch in the "Branch" field on data entry forms.| |Check box cleared for a cash account|Visible regardless of the selected branch.| |When the Branch field is absent on a data entry form|Visibility determined by the user's currently signed-in branch.| ## Restricting access with user roles If you want, you can restrict access to cash accounts by using branch roles in the same way as for general ledger accounts. For more information, see [About account and subaccount security](/visma-net-erp/help/access-management/row-level-security/manage-visibility-with-restriction-groups/about-account-and-subaccount-security/). ## Visibility of cash accounts by user You can control the visibility of a specific cash account to users with the help of restriction groups. Suppose that there is only one accountant in your organisation and only this person should work with a cash account in the system. The following steps describe how to restrict the visibility of the cash account by user. |STEP|ACTION| |---|---| |1|Go to the [General ledger account access (GL104000)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/general-ledger-account-access-gl104000/) window.| |2|Create a restriction group with direct restriction, for example **Access to cash account**.| |3|Add the user account of the accountant to the group.| |4|Add the general ledger account the cash account is linked to.| ### RECOMMENDATION We recommend that you carefully design and configure restriction groups containing accounts, so that a user can view the accounts he or she needs for work. Otherwise, a user may encounter problems with processing transactions of the linked cash accounts. ## Windows for security of cash accounts In the following table, you can find the list of the windows that you can use to manage restriction groups with cash accounts and the tasks that you can solve by using each window. |Task|Window| |---|---| |To initially configure the visibility of a general ledger account to which a cash account is linked to users.|[General ledger account access (GL104000)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/general-ledger-account-access-gl104000/)| |To change the visibility of a general ledger account a cash account is linked to.|[Restriction groups by general ledger account (GL104020)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-general-ledger-account-gl104020/)| |To change the visibility of a general ledger account to which a cash account is linked by a user in multiple restriction groups.|[Restriction groups by user (SM201035)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-user-sm201035/)| |To change the visibility of a general ledger account to which a cash account is linked by a branch in multiple restriction groups.|[Restriction groups by branch (GL103020)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-branch-gl103020/)| For information about how to add or remove objects from a restriction group, see: [About operations with restriction groups](/visma-net-erp/help/access-management/row-level-security/configure-restriction-groups/about-operations-with-restriction-groups/).

Concepts

About security of general ledger budget articles /visma-net-erp/help/access-management/row-level-security/manage-visibility-with-restriction-groups/about-security-of-general-ledger-budget-articles page In Visma Net, organisations implement general access restrictions by assigning roles to users of the system. 2026-02-19T17:09:06+01:00 # About security of general ledger budget articles In Visma Net, organisations implement general access restrictions by assigning roles to users of the system. In this topic, you will read about configuring restriction groups for managing the security of sensitive general ledger budget articles. ## Restricting view with roles vs. restriction groups If a role allows a user to view or edit General ledger budget articles, the user can view all the articles, including those that might be sensitive. By using restriction groups, you can limit the visibility of sensitive budget articles so that only particular users can see and work with these articles. ## Managing the visibility of general ledger budget articles by user You can configure restriction groups that will limit the visibility of General ledger budget articles (leaf articles or nodes at any level) for users. As a result, the users not included in the group will not be able to see the budget articles (and these articles' subarticles, if there are any). Suppose that the **Wages** budget article should be available to only the chief financial officer of your organisation. The following table describes how to configure the visibility of this budget article in the [General ledger budget access (GL105030)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/budget-access-gl105030/) window. |STEP|ACTION| |---|---| |1|Create a restriction group (for example, **Group for wages budget article** ) with direct restriction.| |2|Add the user account of the chief financial officer to the group.| |3|Add the **Wages** budget article to the group.| For more details about restriction groups, see: [About restriction groups in Visma.net ERP](/visma-net-erp/help/access-management/row-level-security/about-restriction-groups-in-visma-net-erp/). ## Windows for security of general ledger budget articles In the following table, you can find the list of windows that you can use to manage restriction groups with general ledger budget articles and tasks that you can resolve by using each window. |Task|Window| |---|---| |To initially configure the visibility of a general ledger budget article to users|[General ledger budget access (GL105030)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/budget-access-gl105030/)| |To change the visibility of a general ledger budget article in multiple restriction groups|[Restriction groups by budget article (GL105020)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-budget-article-gl105020/)| |To change the visibility of a general ledger budget article by user in multiple restriction groups|[Restriction groups by user (SM201035)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-user-sm201035/)| For information about how to add or remove objects from a restriction group, see: [About operations with restriction groups](/visma-net-erp/help/access-management/row-level-security/configure-restriction-groups/about-operations-with-restriction-groups/). About warehouse security /visma-net-erp/help/access-management/row-level-security/manage-visibility-with-restriction-groups/about-warehouse-security page An organisation can have multiple warehouses in Visma Net, and different groups of employees can work with these warehouses in the system. 2026-02-19T17:09:06+01:00 # About warehouse security An organisation can have multiple warehouses in Visma Net, and different groups of employees can work with these warehouses in the system. An organisation can have multiple warehouses in Visma Net, and different groups of employees can work with these warehouses in the system. In this topic, you can find information about configuring the security of warehouses in Visma Net. ## Managing multiple warehouses You can create and manage multiple warehouses in Visma Net only if the **Multiple warehouses** functionality is enabled in the [Enable/disable functionalities (CS100000)](/visma-net-erp/help/common-settings/enable-or-disable-functionalites/enable-disable-functionalities-cs100000/) window. ## Restricting access to warehouses To limit the set of employees who work with a particular warehouse, you can create restriction groups to display a warehouse only for employees who are responsible for tasks that involve this warehouse. If the employees who work with the same warehouse perform only specific tasks (such as accepting goods and creating purchase orders), you can provide access to only those windows that these employees should use. The most common scenarios of managing the security of warehouses are the following: + Managing access to windows based on functional role + Managing the visibility of particular warehouses by user ## Access to windows based on roles By using the User security windows, you can use user roles in Visma Net to give employees access to windows related to working with warehouses. A role can correspond to an area of responsibility for an employee who performs warehouse-related tasks, such as creating purchase orders, accepting goods, and preparing replenishment. If needed, you can assign multiple roles to an employee. For more information about user roles, see: [About role-based access](/visma-net-erp/help/access-management/user-security/about-role-based-access/). ### Examples of roles Consider the following examples of roles for employees who work with the Inventory module. Through the [Access rights by role (SM201025)](/visma-net-erp/help/access-management/user-security/user-security-windows/access-rights-by-role-sm201025/) window, you can administer the access you want for each of these roles. Supervisor : A role for an employee who configures the Inventory workspace and manages work with the workspace. Through the above mentioned window, this role should have access to the windows in the **Manage** and **Explore** nodes of the **Work area** tab, and to the **Configuration** tab of the Inventory workspace. Data entry clerk : A role for an employee who creates documents on data entry forms. Through the above mentioned window, you should provide access to windows in the **Enter** node of the **Work area** tab of the Inventory workspace for this role. Purchasing manager : A role for an employee who is responsible for replenishment. For this role, you should provide access to the **Replenishment** node of the **Processes** tab of the Inventory workspace, through the above mentioned window. ## Visibility of warehouses by user By default, all employees who have access to windows of the Inventory module can see all warehouses created in the system. ### Configuring restriction groups By using the windows of the Row-level security workspace, you can configure the system so that each warehouse is displayed only to users who work with this warehouse. You can use restriction groups to set up visibility of warehouses to employees. For details on restriction groups, see: [About restriction groups in Visma Net](/visma-net-erp/help/access-management/row-level-security/about-restriction-groups-in-visma-net-erp/). ### Practical example Suppose that your system has the **Wholesale** and **Retail** warehouses defined, and you need to configure visibility of these warehouses to users as follows: + User S is a supervisor and should configure and manage both warehouses. + User C1 is a clerk who enters documents for the **Wholesale** warehouse. + User C2 is a clerk who enters documents for the **Retail** warehouse. The following table describes how to configure visibility of warehouses according to this example.

STEP	ACTION
1	Go to the Warehouse access (IN102000) window.
2	Create two restriction groups of type A (with direct restriction): Group 1 for the Wholesale warehouse, and Group 2 for the Retail warehouse.
3	In Group 1, include User S, User C1, and the Wholesale warehouse.
4	In Group 2, include User S, User C2, and the Retail warehouse.

### Final visibility The resulting visibility of warehouses will be the following: + User S can see both the **Wholesale** and **Retail** warehouses. + User C1 can see only the **Wholesale** warehouse. + User C2 can see only the **Retail** warehouse. ## Windows for warehouse security In the following table, you can find the list of windows that you can use to manage restriction groups with warehouses and tasks that you can solve by using each window. |Tasks|Window| |---|---| |To initially configure the visibility of a warehouse to users|[Warehouse access (IN102000)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/warehouse-access-in102000/)| |To change the visibility of a warehouse in multiple restriction groups|[Restriction groups by warehouse (IN102010)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-warehouse-in102010/)| |To change the visibility of warehouses to a user in multiple restriction groups|[Restriction groups by user (SM201035)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-user-sm201035/)| For information about how to add or remove objects from a restriction group, see: [About operations with restriction groups](/visma-net-erp/help/access-management/row-level-security/configure-restriction-groups/about-operations-with-restriction-groups/). ## Restricting visibility of stock items In addition to managing the visibility of warehouses in whole, you can restrict the visibility of particular stock items. For details, see: [About item security](/visma-net-erp/help/access-management/row-level-security/manage-visibility-with-restriction-groups/about-item-security/). About item security /visma-net-erp/help/access-management/row-level-security/manage-visibility-with-restriction-groups/about-item-security page An organisation that distributes goods may have many items in stock. 2026-02-19T17:09:06+01:00 # About item security An organisation that distributes goods may have many items in stock. An organisation that distributes goods may have many items in stock. In this case, users who work with items in the system may have specific tasks and work with only particular item classes. When users create a sales order, they need to enter an item ID for each product. You can define restriction groups to decrease the lists of items a particular user sees. In this topic, you will read about managing the visibility of items to users in the system. ## Visibility of items to users The list of items from which employees should select an item for the product can be very long, which increases the probability of an entry error. By using restriction groups, you can reduce the list of items that users see on windows. For more information about restriction groups, see: [About restriction groups in Visma Net](/visma-net-erp/help/access-management/row-level-security/about-restriction-groups-in-visma-net-erp/). ### Example Suppose that your organisation sells furniture. Each sales manager works with furniture for a particular room, such as kitchen, living room, and bedroom. When managers create a sales order, they should select items only from the list of furniture they sell to avoid entry mistakes. Suppose that: + User K sells kitchen furniture, + User L sells living room furniture, and + User M sells bedroom furniture. The following table describes how to restrict the visibility of items to appropriate users in the system. |STEP|ACTION| |---|---| |1|Go to the [Item access (IN103000)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/item-access-in103000/) window.| |2|Create restriction groups K, L and M with direct restriction.| |3|In group K, include User K and all item IDs for kitchen furniture items.| |4|In group L, add User L and all item IDs for items of the living room furniture.| |5|In group M, include User M and all item IDs for the bedroom furniture items.| ### Final visibility As a result, the visibility of the items in sales orders will be restricted in the system as follows: + User K can view and select only items for the kitchen furniture. + User L can work with only items for the living room furniture. + User M can see and select only items for the bedroom furniture. + All other users cannot see the items added to the three restriction groups in the system. ## Types of restriction groups In Visma Net, you can configure groups with direct and inverse restriction. In this topic, groups with direct restriction are used in examples for simplicity. You can use inverse restriction groups in the same way as you use direct restriction groups. For details on the types of restriction groups, see: [About types of restriction groups](/visma-net-erp/help/access-management/row-level-security/about-types-of-restriction-groups/). ## Windows for item security In the following table, you can find the list of the windows that you can use to manage restriction groups with items and the tasks that you can solve by using each window. |Task|Window| |---|---| |To initially configure the visibility of an item to users|[Item access (IN103000)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/item-access-in103000/)| |To change the visibility of an item in multiple restriction groups|[Restriction groups by item (IN103020)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-item-in103020/)| |To change the visibility of items to a user in multiple restriction groups|[Restriction groups by user (SM201035)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-user-sm201035/)| For information about how to add or remove objects from a restriction group, see: [About operations with restriction groups](/visma-net-erp/help/access-management/row-level-security/configure-restriction-groups/about-operations-with-restriction-groups/). About security of organisation branches /visma-net-erp/help/access-management/row-level-security/manage-visibility-with-restriction-groups/about-security-of-organisation-branches page If your organisation has multiple branches defined in Visma Net, you may need to control which employees get access to which branches. 2026-02-19T17:09:06+01:00 # About security of organisation branches If your organisation has multiple branches defined in Visma Net, you may need to control which employees get access to which branches. In this topic, you will read about ways to manage the security of a branch. ## Managing multiple branches You can create and maintain multiple branches in your Visma Net instance only if the **Multi-branch support** functionality is enabled in the [Enable/disable functionalities (CS100000)](/visma-net-erp/help/common-settings/enable-or-disable-functionalites/enable-disable-functionalities-cs100000/) window (for details, see: [About multi-branch support](/visma-net-erp/help/organisation-structure/about-multi-branch-support/) ). ## Restricting access to branches Because branches share some data, you may also need to control access to the shared data. Visma Net provides user access roles, which you can use to control users' access to branches, and restriction groups to limit the visibility of shared data. The most common scenarios of managing the security of company branches are the following: + Managing user access to branches + Managing the visibility of data shared between branches ## User access to branches The following table explains how to provide access to branches for users who will work in the system. |STEP|ACTION| |---|---| |1|Go to the [User roles (SM201005)](/visma-net-erp/help/access-management/user-security/user-security-windows/user-roles-sm201005/) window.| |2|Create branch-specific user roles (one role per branch).| |3|Assign these roles to user accounts. For details on user roles, see: About role-based access.| |4|Go to the [Branches (CS102000)](/visma-net-erp/help/organisation-structure/organisation-structure-windows/branches-cs102000/) window.| |5|Assign the roles to branches. That is, for each branch, in the Access role field, you select the user role created for this branch.| ### After assigning the first role Once a role is assigned to one of the branches, other branches must also have roles assigned. A branch with no role assigned will be inaccessible to any user. To allow a user to access multiple branches, assign the roles for the branches to which the user should have access. ### Access to branch data in windows If a user, based on his or her role, has access to a data entry form where this user enters a document and specifies the branch of origin, only the branches to which the user has access are available on the drop-down list. The users who have access to multiple branches can select the specific branch from the **Branches** menu in the window's title toolbar and create documents on behalf of the selected branch. ## Full branch access No matter which branch users have access to, users who have access to the following windows, based on their roles, will see and work with all branches (because users configure system objects by using these windows): + [Inter-branch account mapping - reference information](/visma-net-erp/help/general-ledger/general-ledger-windows/inter-branch-account-mapping-gl101010/) + [Branches (CS102000)](/visma-net-erp/help/organisation-structure/organisation-structure-windows/branches-cs102000/) + [Buildings (CS205010)](/visma-net-erp/help/organisation-structure/organisation-structure-windows/buildings-cs205010/) + [Company tree (EP204060)](/visma-net-erp/help/organisation-structure/organisation-structure-windows/company-tree-ep204060/) + [Restriction groups by branch (GL103020)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-branch-gl103020/) + [General ledger accounts by branch access (GL103040)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/general-ledger-accounts-by-branch-access-gl103040/) + [Subaccounts by branch access (GL103060)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/subaccounts-by-branch-access-gl103060/) ## Visibility of data within a branch Branches have some data shared between branches and some data kept as branch-specific (for details, see: [About multi-branch support](/visma-net-erp/help/organisation-structure/about-multi-branch-support/)). You may need to restrict the visibility of data that is shared but may contain sensitive information, such as general ledger accounts and subaccounts. Visma Net provides restriction groups so you can control which accounts and subaccounts are used with which branch. For details on configuring restriction groups for accounts and subaccounts, see: [About account and subaccount security](/visma-net-erp/help/access-management/row-level-security/manage-visibility-with-restriction-groups/about-account-and-subaccount-security/). ## Windows for branch security In the following table, you can find the list of the windows that you can use to manage restriction groups with branches and the tasks that you can resolve by using each window. |Task|Window| |---|---| |To initially configure the visibility of accounts by branches|[General ledger accounts by branch access (GL103040)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/general-ledger-accounts-by-branch-access-gl103040/)| |To initially configure the visibility of subaccounts (or subaccount segments) by branches|[Subaccounts by branch access (GL103060)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/subaccounts-by-branch-access-gl103060/)| |To change the visibility of system objects by a branch in multiple groups|[Restriction groups by branch (GL103020)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-branch-gl103020/)| ## Types of restriction groups In Visma Net, you can configure groups with direct and inverse restriction. In this topic, groups with direct restriction are used in examples for simplicity. You can use inverse restriction groups in the same way as you use direct restriction groups. For details on the types of restriction groups, see: [About types of restriction groups](/visma-net-erp/help/access-management/row-level-security/about-types-of-restriction-groups/). For information about how to add or remove objects from a restriction group, see: [About operations with restriction groups](/visma-net-erp/help/access-management/row-level-security/configure-restriction-groups/about-operations-with-restriction-groups/). About customer security /visma-net-erp/help/access-management/row-level-security/manage-visibility-with-restriction-groups/about-customer-security page If your organisation sells goods and provides services to customers, you may have a great deal of customer-related information stored in Visma Net. 2026-02-19T17:09:06+01:00 # About customer security If your organisation sells goods and provides services to customers, you may have a great deal of customer-related information stored in Visma Net. When the employees of your organisation create documents for customers, they have to select the required customer from the full list of customers. If certain employees work with only very important customers, and other employees are not allowed to see these customers in the system for security reasons, you can create restriction groups to manage the visibility of your customers to users of Visma Net, as described in this topic. ## Visibility of customers by user By using restriction groups, you can show or hide particular customers on Visma Net windows, depending on the user who is logged in to the system. For instance, if some customers are very important to your organisation, dedicated employees might be assigned to process documents that contain information about these customers in the system. ### Example Suppose that your organisation provides cleaning services and Megabank is a very important customer of your organisation. Manager M is responsible for all operations in the systems related to Megabank, and other managers should not see Megabank in any windows of the system. The following table explains the steps to configure the visibility of this customer in the system. |STEP|ACTION| |---|---| |1|Go to the [Customer access (AR102000)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/customer-access-ar102000/) window.| |2|Create a restriction group (for example, Group for Megabank) with direct restriction.| |3|Add the user account of the Manager M to the group.| |4|Add the Megabank customer to the group.| ## Default restriction groups If you use customer classes and want to include each new customer of a particular class in a restriction group automatically, you can specify a default restriction group for this class, as described in [About operations with restriction groups](/visma-net-erp/help/access-management/row-level-security/configure-restriction-groups/about-operations-with-restriction-groups/). ## Windows for customer security In the following table, you can find the list of the windows that you can use to manage restriction groups with customers and the tasks that you can resolve by using each window. |Task|Window| |---|---| |To initially configure the visibility of a customer to users|[Customer access](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/customer-access-ar102000/)| |To change the visibility of a customer in multiple restriction groups|[Restriction groups by customer (AR102010)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-customer-ar102010/)| |To change the visibility of customers to a user in multiple restriction groups|[Restriction groups by user](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-user-sm201035/)| For information about how to add or remove objects from a restriction group, see: [About operations with restriction groups](/visma-net-erp/help/access-management/row-level-security/configure-restriction-groups/about-operations-with-restriction-groups/). ## Types of restriction groups In Visma Net, you can configure groups with direct and inverse restriction. In this topic, groups with direct restriction are used in examples for simplicity. You can use inverse restriction groups in the same way as you use direct restriction groups. For details on the types of restriction groups, see: [About types of restriction groups](/visma-net-erp/help/access-management/row-level-security/about-types-of-restriction-groups/). About supplier security /visma-net-erp/help/access-management/row-level-security/manage-visibility-with-restriction-groups/about-supplier-security page If your organisation buys goods and services from external organisations, your accountants manage suppliers' information and process documents. 2026-02-19T17:09:06+01:00 # About supplier security If your organisation buys goods and services from external organisations, your accountants manage suppliers' information and process documents. If your organisation works with more than 10 suppliers, accountants may work with particular suppliers only. In this case, the accountants who do not work with these suppliers should not see them in the system for security reasons and to avoid entry errors. You can use restriction groups to configure and manage the visibility of suppliers to users in the system, as described in this topic. ## Visibility of suppliers by user By using restriction groups you can configure and manage the visibility of suppliers to users in the system. This way you can make suppliers visible only to accountants who work with these suppliers in the system. If each accountant in your organisation works with specific suppliers, you can hide these suppliers from other users. For details about restriction groups, see: [About restriction groups in Visma.net ERP](/visma-net-erp/help/access-management/row-level-security/about-restriction-groups-in-visma-net-erp/). ### Example Suppose that ABComputers is your supplier of computers and office equipment, and only the senior accountant is allowed to process documents from this supplier. The following table explains the steps to configure the visibility of this supplier. |STEP|ACTION| |---|---| |1|Go to the the [Supplier access (AP102000)](/visma-net-erp/help/supplier-ledger/supplier-ledger-windows/supplier-access-ap102000/) window.| |2|Create a restriction group with direct restriction (for example: Group for ABComputers).| |3|Add the user account of the senior accountant to the group.| |4|Add the ABComputers supplier to the group.| ## Default restriction groups If you have configured supplier classes, you can specify a default restriction group for a supplier class. With this setting, all new suppliers of the class will be automatically added to the restriction group. For details, see: Setting up default restriction groups for supplier and customer classes in [About operations with restriction groups](/visma-net-erp/help/access-management/row-level-security/configure-restriction-groups/about-operations-with-restriction-groups/). ## Windows for supplier security In the following table, you can find the list of the windows that you can use to manage restriction groups with suppliers and the tasks that you can resolve by using each window. |Task|Window| |---|---| |To initially configure the visibility of a supplier to users|[Supplier access (AP102000)](/visma-net-erp/help/supplier-ledger/supplier-ledger-windows/supplier-access-ap102000/)| |To change the visibility of a supplier in multiple restriction groups|[Restriction groups by supplier (AP102010)](/visma-net-erp/help/supplier-ledger/supplier-ledger-windows/restriction-groups-by-supplier-ap102010/)| |To change the visibility of suppliers to a user in multiple restriction groups|[Restriction groups by user (SM201035)](/visma-net-erp/help/access-management/row-level-security/row-level-security-windows/restriction-groups-by-user-sm201035/)| For information about how to add or remove objects from a restriction group, see: [About operations with restriction groups](/visma-net-erp/help/access-management/row-level-security/configure-restriction-groups/about-operations-with-restriction-groups/). ## Types of restriction groups In Visma Net, you can configure groups with direct and inverse restriction. In this topic, groups with direct restriction are used in examples for simplicity. You can use inverse restriction groups in the same way as you use direct restriction groups. For details on the types of restriction groups, see: [About types of restriction groups](/visma-net-erp/help/access-management/row-level-security/about-types-of-restriction-groups/).

Related pages

Concepts

Related pages

Concepts