OK… you asked for the “Best way”… I will give my opinion.
BUT FIRST… i will explain my basic rules
- Most people in a department should have access to all the items in that departments domain… ie… sale get sales, inventory gets inventory
- EXCEPTION is the “Setup” type items… this should be reduced access.
- EXCEPTION to rule 2 are the special “Master” setup items such as Customer, Part, Supplier, etc. There are some things like these that cross over many boundaries.
SO… my rules are:
- create a DEPARTMENT security group for each department
- DeptSales
- DeptProduction
- DeptPO
- create a Department SETUP group for each department
- DeptSalesSetup
- DeptxxxSetup
- Create Program Specific groups for any special master files
- CanEditParts
- CanEditCust
- CanEditSupplier
Now, you have the FOUNDATION for security that is easier to implement.
- each program in the menu gets one (or more, but preferably one) security group
- Remember that the “Special” programs (Part entry) only get the ONE security group (CanEditParts)
- each PERSON is assigned to the security groups that they need to do their job… ie… DeptSales, CanEditParts, CanEditCust
If you follow rules such as above, Later, it will be easier to audit your security to see who has access to what.
This of course can get much more complicated… special Duty separators such as “CanPostInvoices”, “CanShip”, “CanReceivePOs”/“CanEnterPOs”. help to make audits even better.