Access Groups Scenario

Hi, I have a specific query around the use of Access Groups, that has got me a bit stumped at the minute, and would welcome some advice.

As I understand the setup at the minute, a user can only belong to a single Access Group. However, I have a situation to handle whereby users can belong to multiple Access Groups at the same time (and is therefore able to see all records for those Groups).

For example, supposing 3x Users (called Alfred, Bernie & Charlie) and 3x Groups setup (IT Support, IT Maintenance & IT Provision)

  • Alfred can belong to both IT Support & IT Maintenance
  • Bernie can belong to both IT Support & IT Provision
  • Charlie can belong to both IT Maintenance & IT Provision

Th groups have to be at a flat level (I.e. cannot use inheritance by cascading them) because of the complexities involved with many multiples of Access Groups and Users - the above is just a simple example.

Is there a way this can be simply achieved ? Any pointers would be very helpful


1 Like

Hi Gary,
Currently, you probably have to abandon the organizational structure and create access groups for all combinations of constraints that are required. I understand that you can end up using a group per user, but it is the only option now.

We haven’t implemented the ManyToMany relationship between users and groups yet because it looks a bit illogical: a user in fact will have fewer rights if he belongs to more groups because a membership in a group can only limit something. So in your situation if a user was in IT Support & IT Maintenance it would not mean that he had some rights of IT Support & IT Maintenance, but contrary - he would have restrictions of both.

What do you think?

Hi Konstantin,
‘I think’ I understand what you are saying above and thanks for the info.
I am now wondering if there is another way I can implement my required ‘end-goal’ - maybe using ‘Deep Composition’ as per your Admin Guide in section . Lets say I had my own entity ‘departments’ with a many-to-many composition to another entity called ‘employee’. I then also want to be able to have an entity called ‘careTicket’ which has a many-to-many composition to ‘departments’ above - in this way, the careTicket entity can be related to multiple existing departments (I think). My final requirement would be that I somehow need to constrain the table on careTickets.browse screen so that only ‘employees’ in the ‘departments’ linked to a careTicket will be displayed & editable.
As an example - using the data from above

  • If a careTicket was related to 'departments' IT Support & IT Provision:
  • Alfred would be able to see the ticket in the table because he is related to 'IT Support'
  • Bernie would be able to see the ticket in the table because he is related to BOTH 'IT Support' and 'IT Provision'
  • Charlie would be able to see the ticket in the table because he is related to 'IT Provision'
However, if the careTicket is ONLY related to 'IT Support' then Charlie would not be able to see it because he is not related to that department in any way. Does that sound 'doable' in your opinion ?

Hi Gary,
You can achieve this kind of filtering in the tickets browser just by using the following JPQL for its CollectionDatasource:

select t from demo$Ticket t
    join t.departments d
    join d.employees e
where = :session$userId 

See the attached project. There are two tickets:
1 - for Provision & Support
2 - for Maintenance.
Try to login as Alfred, Bernie, Charlie (all have password 1). Alfred and Charlie see both tickets, Bernie sees only 1st because he is not in Maintenance. (34.8K)

1 Like

That is perfect Konstantin, exactly what I needed and works like a charm