About security of organisation branches
If your organisation has multiple branches defined in Visma Net, you may need to control which employees get access to which branches.
Because branches share some data, you may also need to control access to the shared data. Visma Net provides user access roles, which you can use to control users’ access to branches, and restriction groups to limit the visibility of shared data. In this topic, you will read about ways to manage the security of a branch.
In Visma Net, you can configure groups with direct and inverse restriction. In this topic, groups with direct restriction are used in examples for simplicity. You can use inverse restriction groups in the same way as you use direct restriction groups. For details on the types of restriction groups, see: About types of restriction groups.
Usage scenarios
The most common scenarios of managing the security of company branches are the following:
- Managing user access to branches: If your organisation has multiple branches (and you have created multiple branches in Visma Net ), you can configure access to branches for employees who work in these branches.
- Managing the visibility of data shared between branches: If you need to make data shared between branches (such as general ledger accounts and subaccounts) visible only within a particular branch, you can use restriction groups to resolve this task.
You can create and maintain multiple branches in your Visma Net instance only if the Multi-branch support functionality is enabled in the Enable/disable functionalities (CS100000) window (for details, see: About multi-branch support).
User access to branches
After multiple branches have been defined in the system, you provide access to the branches for users who will work in the system as follows:
- In the User roles (SM201005) window, you create branch-specific user roles (one role per branch) and assign these roles to user accounts. For details on user roles, see: About role-based access.
- In the Branches (CS102000) window, you assign the roles to branches as follows: For each branch, in the Access role field, you select the user role created for this branch.
- Once a role is assigned to one of the branches, other branches also must have roles assigned. A branch with no role assigned will be inaccessible to any user.To allow a user to access multiple branches, assign to him or her the roles for the branches to which the user should have access.
If a user, based on his or her role, has access to a data entry form where this user enters a document and specifies the branch of origin, only the branches to which the user has access are available on the drop-down list. The users who have access to multiple branches can select the specific branch from the Branches menu in the window’s title toolbar and create documents on behalf of the selected branch.
No matter which branch users have access to, users who have access to the following windows, based on their roles, will see and work with all branches (because users configure system objects by using these windows):
- Inter-branch account mapping - reference information
- Branches (CS102000)
- Buildings (CS205010)
- Company tree (EP204060)
- Restriction groups by branch (GL103020)
- General ledger accounts by branch access (GL103040)
- Subaccounts by branch access (GL103060)
Visibility of data within a branch
Branches have some data shared between branches and some data kept as branch-specific (for details, see: About multi-branch support). You may need to restrict the visibility of data that is shared but may contain sensitive information, such as general ledger accounts and subaccounts. Visma Net provides restriction groups so you can control which accounts and subaccounts are used with which branch. For details on configuring restriction groups for accounts and subaccounts, see: About account and subaccount security.
Windows for branch security
In the following table, you can find the list of the windows that you can use to manage restriction groups with branches and the tasks that you can resolve by using each window.
| Task | Window |
|---|---|
| To initially configure the visibility of accounts by branches | General ledger accounts by branch access (GL103040) |
| To initially configure the visibility of subaccounts (or subaccount segments) by branches | Subaccounts by branch access (GL103060) |
| To change the visibility of system objects by a branch in multiple groups | Restriction groups by branch (GL103020) |
For information about how to add or remove objects from a restriction group, see: About operations with restriction groups.
Parent topic:
Manage visibility with restriction groups - overview