Deep Dive: User Access Control Strategies

Introduction

Effective user access control is fundamental to security and operational efficiency. Zudello provides a flexible framework combining Access Permissions, Data Permissions, and User Groups to implement granular control. This guide focuses on practical strategies and common scenarios for designing and implementing robust access control within your organisation.

This guide assumes familiarity with the concepts explained in:

• Deep Dive: Permissions Framework
• Deep Dive: User Management and Security

Strategy: Role-Based Access Control (RBAC)

The most common and recommended strategy is RBAC. Instead of assigning permissions directly to users, you define roles (e.g., AP Clerk, Purchasing Manager, Approver) and create corresponding User Groups.

1. Identify Roles: Define the distinct job functions that interact with Zudello.
2. Define Permissions per Role: For each role, determine:
   • Actions: What actions should this role be able to perform (e.g., View Invoices, Create POs, Approve Expenses)? -> Defines required Access Permissions.
   • Data Scope: What data should this role be able to see/interact with (e.g., All data, Only their own submissions, Only data for Department X)? -> Defines required Data Permissions.
3. Create User Groups:
   • Create Access Groups named after roles (e.g., "AP Clerk Access", "Manager Access"). Assign the required Access Permissions to these groups.
   • Create Visibility Groups named after roles and data scopes (e.g., "AP Clerk Visibility - All", "Manager Visibility - Own Team", "Dept X Approver Visibility").
4. Configure Data Permissions: Create Data Permission rules in Team Settings defining the required data scopes (e.g., Rule "View All Invoices", Rule "View Own Team Expenses"). Link these rules to the corresponding Visibility Groups.
5. Assign Users: Assign users to the appropriate Access and Visibility groups within each relevant Team via Organisation Settings > Group Membership.

Common Scenarios & Implementation Examples

Scenario 1: Standard AP Clerk (Full Visibility within Team)

• Goal: Allow AP Clerks to view, create, and update Invoices and Credit Notes within their assigned Team, and view related Suppliers.
• Implementation:
  • Access Group ("AP Clerk Access"):
    • PURCHASING:INVOICE#VISIBLE, #VIEW, #CREATE, #UPDATE
    • PURCHASING:CREDIT#VISIBLE, #VIEW, #CREATE, #UPDATE
    • RELATIONSHIPS:SUPPLIER#VISIBLE, #VIEW
    • (Add other necessary permissions like #CHAT, #AUDIT)
  • Data Permission Rule ("View All Team Data"):
    • Model: Transaction, Operator: All
    • Model: Supplier, Operator: All
    • (Add rules for other models if needed)
  • Visibility Group ("AP Clerk Visibility - All"): Link the "View All Team Data" rule(s).
  • User Assignment: Assign AP Clerk users to "AP Clerk Access" and "AP Clerk Visibility - All" groups within their Team.

Scenario 2: Departmental Approver (Limited Visibility)

• Goal: Allow Department Managers to view and approve Invoices and Requisitions coded specifically to their Department (e.g., "Sales"). They should not see documents from other departments.
• Implementation:
  • Access Group ("Department Approver Access"):
    • PURCHASING:INVOICE#VISIBLE, #VIEW, #APPROVE
    • PURCHASING:REQUISITION#VISIBLE, #VIEW, #APPROVE
    • (Add #VISIBLE for relevant modules)
  • Data Permission Rule ("View Sales Dept Transactions"):
    • Model: Transaction
    • Field: Department
    • Operator: Specific
    • Value: [Select "Sales" Department record]
  • Visibility Group ("Approver Visibility - Sales Dept"): Link the "View Sales Dept Transactions" rule.
  • User Assignment: Assign the Sales Department Manager to "Department Approver Access" and "Approver Visibility - Sales Dept" groups within the Team.
  • Approval Sentence: Configure the approval Sentence to route to this specific user or an "Sales Approvers" Approval Group based on the document's Department coding.

Scenario 3: Project Manager (Related Visibility)

• Goal: Allow Project Managers to view and approve POs and Invoices related to Projects they are assigned to as the owner.
• Implementation:
  • Access Group ("Project Manager Access"):
    • PURCHASING:ORDER#VISIBLE, #VIEW, #APPROVE
    • PURCHASING:INVOICE#VISIBLE, #VIEW, #APPROVE
    • DIMENSIONS:PROJECT#VISIBLE, #VIEW (To see their projects)
  • Data Permission Rule 1 ("View Own Projects"):
    • Model: Project
    • Field: owner
    • Operator: Own
  • Data Permission Rule 2 ("View Transactions for Own Projects"):
    • Model: Transaction
    • Field: Project
    • Operator: Related
    • Related Rule: [Select "View Own Projects" rule]
  • Visibility Group ("Project Manager Visibility - Own Projects"): Link both "View Own Projects" and "View Transactions for Own Projects" rules.
  • User Assignment: Assign PM users to "Project Manager Access" and "Project Manager Visibility - Own Projects" groups. Ensure the owner field is correctly populated on Project dimension records.

Scenario 4: Standard User (Submit Own Expenses Only)

• Goal: Allow standard employees to create, view, and submit their own Expenses and Claims, but not see those of others.
• Implementation:
  • Access Group ("Employee Expense Access"):
    • EXPENSES:EXPENSE#VISIBLE, #VIEW, #CREATE, #UPDATE
    • EXPENSES:CLAIM#VISIBLE, #VIEW, #CREATE, #UPDATE
    • (Add #SUBMIT if using Save & Submit button)
  • Data Permission Rule ("View Own Expenses/Claims"):
    • Model: Transaction
    • Field: employee (Assuming Claim links to Employee)
    • Operator: Own (Or potentially created_by or submitted_by depending on exact model links)
  • Visibility Group ("Employee Visibility - Own Expenses"): Link the "View Own Expenses/Claims" rule.
  • User Assignment: Assign standard employees to "Employee Expense Access" and "Employee Visibility - Own Expenses" groups.

Integrating with SSO/User Provisioning (Entra ID)

• Strategy: Use Entra ID groups to manage Team membership and potentially basic role assignment, but rely on Zudello User Groups for granular permission assignment.
• Process:
  1. Configure SSO and SCIM Provisioning between Entra ID and Zudello.
  2. Create an Entra ID group (e.g., "Zudello Users - Team A") for users needing access to a specific Zudello Team.
  3. In Zudello's SSO settings, map this Entra ID group to the corresponding Zudello Team. Users added/removed from the Entra group will automatically gain/lose access to the Zudello Team.
  4. (Optional - Advanced): You could potentially map different Entra ID groups to different Zudello User Groups via custom scripting or future enhancements, but the primary SCIM function manages Team membership.
  5. Assign Zudello Access/Visibility groups manually via Group Membership or potentially via API/scripting based on user attributes synced from Entra ID (like Department or Job Title).

See Microsoft Entra ID User Provisioning.

Secure Delegation Strategy

• Problem: A delegate needs to approve a document but lacks the necessary Data Permissions to view it.
• Solution: Use the Delegate Duties option when configuring the delegation.
• Mechanism: When "Delegate Duties" is ON, the delegate temporarily inherits the User Group memberships (and thus the Access and Data Permissions) of the delegator specifically within the team where the delegation is active.
• Security Consideration: Only enable "Delegate Duties" when necessary and ensure users understand the implications. The delegate gains the delegator's access level for that team during the delegation period.
• Alternative: If "Delegate Duties" is OFF, ensure the delegate already has sufficient independent permissions via their own User Group assignments.

See Delegate Approvals Overview.

Auditing Access Levels

Regularly auditing user access is crucial for security and compliance.

1. Review Group Membership: Periodically check Organisation Settings > Group Membership. Verify that users are assigned to the correct groups within each team. Remove users from groups they no longer need.
2. Review Group Permissions: Periodically review the Access Permissions assigned to each Access Group (Organisation Settings > User Groups) and the Data Permission rules linked to each Visibility Group (Team Settings > Data Permissions & Organisation Settings > User Groups). Ensure they still align with the intended roles and the principle of least privilege.
3. Review User Activity: Use Zudello's Audit Logs (if permissions allow) or potentially custom reports (future) to review user actions, particularly sensitive ones like deletions, configuration changes, or approvals.
4. Review Inactive Users: Regularly check for inactive users (Organisation Settings > Users) and ensure their access (Team memberships, Group memberships) has been properly revoked or deactivated.
5. Entra ID Audit (If Applicable): Audit membership of the Entra ID groups linked to Zudello Team access.

By strategically combining User Groups, Access Permissions, and Data Permissions, administrators can create tailored and secure access control environments that meet diverse organisational needs. Regular auditing ensures these controls remain effective over time.