Access Checks for Individual Components

The system provides four levels of access control for toolbar items, menu commands (commands in the My Desk menu, Actions menu, and global toolbar), tree categories, table columns, and form rows.

You define access to menu items, toolbar items, tree categories, table columns, and form rows (fields) using the administrative object that defines each of these components. The emxNavigator.jsp displays the submenu for an application if the user has access to at least one command object in the submenu. If the user does not have access to any command objects in the submenu, the submenu heading is not displayed.

To set these access checks, add the setting or parameter for the appropriate administrative object. For example, to control access for a toolbar item, edit the command object that represents the link. For details, see the settings reference for the specific complonent.

Assuming all possible checks are enabled, the sequence of access checks are as follows:


  1. Role-based. Users assigned to the Access tab for the relevant administrative object. These users are usually roles but can be persons and groups. When a role or group is assigned access, access extends to all child roles and groups. This access is the default or minimum access control.
  2. Access Mask setting on the administrative object. Specifies the accesses the user must have for the current business object in order for the component to be displayed.
  3. Access Expression setting on the administrative object. An expression whose value is a valid context-based expression that is evaluated at runtime.
  4. Access Program and Access Function settings on the administrative object. The name of a JPO program and method that checks access.

The system performs the access checks in an all or nothing manner. That is, if all the access checks pass, access is granted. If at least one of them fails, the UI component is hidden.