Role Restrictions
Limiting data access by organizational segments.
Learning Objectives
After this module, you will be able to:
- Understand how restrictions filter data
- Configure segment-based restrictions
- Combine multiple restriction types
- Troubleshoot restriction issues
What are Restrictions?
Restrictions limit which records users can see based on organizational segments.
RESTRICTION CONCEPT
===============================================================================
WITHOUT RESTRICTIONS WITH RESTRICTIONS
┌─────────────────────┐ ┌─────────────────────┐
│ User sees ALL │ │ User sees ONLY │
│ subsidiaries │ │ assigned subsidiary │
│ departments │ │ department │
│ locations │ │ location │
│ classes │ │ class │
└─────────────────────┘ └─────────────────────┘
↓ ↓
Security Risk Proper Segmentation
Restriction Types
Available Segments
| Restriction | Description | Common Use |
|---|---|---|
| Subsidiary | Legal entity (OneWorld) | Multi-company access |
| Department | Organizational unit | Departmental data |
| Location | Physical location | Regional access |
| Class | Business segment | Product line/division |
How Restrictions Work
RESTRICTION FILTERING
===============================================================================
Role: Regional Sales Manager - West
Restrictions Applied:
├── Subsidiary: ABC Company US
├── Location: West Region, West Warehouse
├── Department: Sales
└── Class: [No restriction - sees all]
What User SEES:
├── Customers in West locations
├── Sales orders for West
├── Inventory at West Warehouse
├── Sales department records
└── All class segments
What User CANNOT SEE:
├── East Region data
├── Canada Subsidiary (if OneWorld)
├── Operations department records
└── Other regions' transactions
Configuring Restrictions
Navigation
Setup > Users/Roles > Manage Roles > [Role] > Restrictions subtab
Configuration Steps
RESTRICTION CONFIGURATION
===============================================================================
Step 1: Open Role
Navigation: Setup > Users/Roles > Manage Roles
Click on role name
Step 2: Go to Restrictions Tab
Click "Restrictions" subtab
Step 3: Add Restrictions
For each segment type:
├── Click dropdown
├── Select allowed values
├── Can select multiple values
└── Leave blank = no restriction (sees all)
Step 4: Save Role
Click Save
Changes apply on next user login
Example Configurations
| Role | Subsidiary | Department | Location | Effect |
|---|---|---|---|---|
| US Controller | US Only | All | All | Sees all US data |
| Sales Rep - East | All | Sales | East | East sales only |
| Warehouse East | All | Operations | East Warehouse | East warehouse only |
| CFO | All | All | All | No restrictions |
Multiple Restriction Values
Adding Multiple Values
MULTIPLE VALUE BEHAVIOR
===============================================================================
Role has Location: West Region, Central Region
User CAN see:
├── Records with Location = West Region
├── Records with Location = Central Region
├── Transactions tagged to either location
└── Reports filtered to both
User CANNOT see:
├── Records with Location = East Region
├── Records with other locations
└── Data from excluded regions
Note: Multiple values = OR logic (West OR Central)
Blank Location Records
| Setting | Behavior |
|---|---|
| View All (no restriction) | Sees blank location records |
| Specific locations | May or may not see blanks (depends on setup) |
Restriction Inheritance
OneWorld Subsidiary Hierarchy
SUBSIDIARY RESTRICTION INHERITANCE
===============================================================================
Subsidiary Structure:
ABC Parent Company
├── ABC United States
│ ├── ABC East
│ └── ABC West
└── ABC Canada
If Role Restricted to: ABC United States
User sees:
├── ABC United States transactions
├── ABC East transactions (child)
└── ABC West transactions (child)
User does NOT see:
├── ABC Parent Company (unless explicit)
└── ABC Canada
Common Issues
Troubleshooting Restrictions
| Issue | Cause | Solution |
|---|---|---|
| User can't see records | Restriction too narrow | Add location/dept values |
| User sees too much | Missing restriction | Add appropriate segment |
| Some transactions hidden | Transaction has different segment | Check transaction's segments |
| New location not visible | Location not added to role | Add new location to role |
Checking User's Effective Restrictions
VERIFYING RESTRICTIONS
===============================================================================
Method 1: Review Role Configuration
├── Open role
├── Check Restrictions tab
└── Note all values
Method 2: Log in as User
├── Use "Log in as..." feature
├── Navigate to various lists
└── Verify visible data
Method 3: Saved Search Test
├── Create saved search as admin
├── Compare results when run by restricted user
└── Note differences
Best Practices
| Practice | Benefit |
|---|---|
| Document restrictions | Clear audit trail |
| Test before deploy | Avoid access issues |
| Review quarterly | Keep current with org changes |
| Use sparingly | Complex restrictions = confusion |
| Combine with permissions | Layered security |
Key Takeaways
- Restrictions filter data visibility based on segments
- Multiple values are additive (OR logic)
- Subsidiaries can inherit to child entities
- Test thoroughly before assigning to users
- Document changes for audit purposes
Related Topics
- Roles Overview - Role fundamentals
- Role Permissions - Permission levels
- NetSuite Structure - Segment setup