◄ Back to Creating company structures

Procedures on this page:

In the previous section the layout of the company structure shown in the picture was described in Lobster Data Platform / Orchestration.

The user 'jabend', who acts as 'Administrator' in the context of the company 'Smart Logistics AG', should still be used to log on to the system.

images/download/attachments/62866697/image2015-12-4_9_19_51-version-1-modificationdate-1612347978866-api-v2.png

After creating all companies for the example scenario, the company overview from the perspective of 'Smart Logistics AG' should look like the following screenshot

images/download/attachments/62866697/image2020-11-26_10-50-26-version-1-modificationdate-1612347978749-api-v2.png

Verify that column Parent companies (1) refers to the superordinate company in the company hierarchy depicted above!

All companies subordinate to "Smart Logistics AG" within this hierarchy were created with a login as user 'jabend', for whom the company "Smart Logistics AG" (at the top of the hierarchy) is automatically the company of the session, since no other companies are assigned in the user account.

The Company of session was therefore automatically assigned as Owner (2) of all newly created companies, as a view into the corresponding column of the company overview (see screenshot above) confirms.
It is only because of these 'ownership relationships' that 'Smart Logistics AG' has access to the accounts of the newly created companies at all. The fact that these companies are directly and indirectly subordinate to it, however, is not yet relevant for access.

Customize ownership

Deviating from the previous status, in the example scenario the 'ownership relationships' are now to be adjusted to the hierarchical relationships, so that the Owner (2) matches the parent company (1).

►IMPORTANT◄ This principle ('ownership ≈ hierarchy') should not be misunderstood as the best practice for a real project. It is only used here to demonstrate the effects of permissions. In practice, there may be good reasons to structure the company hierarchy and ownership differently. However, the interaction between Roles, ownership, company hierarchy and the Company authorizations presented here must always be carefully deliberated, coordinated and controlled after implementation to ensure access is granted where necessary and denied where inappropriate.

In concrete terms, only those child company accounts that are indirectly subordinated to 'Smart Logistics AG' must be modified, since these are the only ones for which the parent company still differs from the owner:

The company 'SL LDN' should be transferred into the possession of 'SL UK'.
The companies 'SL BER' and 'SL MUC' shall be transferred into the ownership of 'SL Germany'.

In the ribbon of the Company account overview of the main category Administration, the subcategory Change owner provides a combobox that displays the current owner and allows a new assignment via dropdown:

images/download/attachments/62866697/image2020-11-26_10-59-35-version-1-modificationdate-1612347978742-api-v2.png

In the screenshot, the company 'SL LDN' was selected in the list so that its detailed data is displayed. In the ribbon the change of ownership from 'Smart Logistics AG' to the already parent company 'SL UK' should now be done by Change owner.

Problem: When opening the combobox, the company 'SL UK' does not appear in the dropdown.

Why can' t the company 'SL UK' be selected as owner?

The Company of session ('Smart Logistics AG') is currently the owner of the company account of the company 'SL LDN' and therefore basically entitled to make changes to this company account.
However, changing the owner of this company account to 'SL UK' is interpreted by the system as an intervention in the company accounts of 'SL UK', to which the account of 'SL UK' should be added.
The Company of session ('Smart Logistics AG') is also the owner of the company account of the company 'SL UK' and therefore has access to their company account. This access does not include company accounts owned by 'SL UK'.

Conclusion: In order for the desired changes by 'Smart Logistics AG' to be feasible at all, access to the relevant company accounts must be guaranteed even after the change of ownership.

The respective new owner must allow 'Smart Logistics AG' access to the company accounts for this purpose. More precisely, a company authorization must be set up to enable this access. The 'new owner' has no active role in this process. 'Smart Logistics AG' can set up the required authorization itself.

►NOTE◄ In the given situation, the only alternative to changing the owner would be to use the role 'Super User', in whose context the 'owner restrictions' are ignored. However, this option should only be used in truly exceptional cases and not out of convenience, since the frivolous use of this 'extraordinary means' quickly leads to constellations of dependencies that are hardly manageable without such special rights and are unnecessarily intransparent for less privileged users. Only if access rights are 'cleanly regulated' by permissions, a controlled and orderly division of labor is possible for administrative tasks that require special permissions (e.g. to edit configurations), but which should only be performed with a limited radius of action (e.g. in a part of the company hierarchy).

Company authorizations

The Administration/Accounts/Company authorizations menu path opens the overview of all existing Company authorizations that can be accessed in the context of the current session:

images/download/attachments/62866697/image2020-11-25_14-27-53-version-1-modificationdate-1612347978683-api-v2.png

Create a company authorization

The list (1) of Company authorizations appears empty for 'Smart Logistics AG', since no company authorization has been created for this company yet.

The new creation is started via the New (2) button in the ribbon:

images/download/attachments/62866697/image2020-11-26_12-52-21-version-1-modificationdate-1612347978662-api-v2.png

The extensive configuration possibilities for Company authorizations can be consulted if necessary in the appropriate entry in the manual.

In the example scenario, explicit authorization from the company 'SL UK' to the parent company 'Smart Logistics AG' is required to solve the above described 'problem' with the change of ownership for the company 'SL LDN':

As the Permission granting company (1), 'SL UK' is selected, which will grant access to their company accounts.

Under Explicit grant, 'Smart Logistics AG' is determined as the direct recipient of the authorization, by selection in Granted companies (2).

Active? (3) must be checked to activate the authorization.

Afterwards the content for the authorization must be defined in the Permissions (4) tab. In the default Mode 'Custom' the permissions are selectable individually or in groups (per node) via a tree, analogous to the handling of permissions for Roles.

In the screenshot, all Permissions (5) for the Administration node have been selected for authorization, which includes the crucial permission to 'Update' company accounts.

By clicking on Save (6) in the ribbon, the company authorization is created and immediately effective.

images/download/attachments/62866697/image2020-11-26_12-55-2-version-1-modificationdate-1612347978647-api-v2.png

images/download/attachments/62866697/image2020-11-26_13-23-29-version-1-modificationdate-1612347978623-api-v2.png

The newly established company authorization now ensures that 'Smart Logistics AG' can still dispose of the company 'SL LDN' even if it becomes the property of 'SL UK'.

Therefore, when the company 'SL LDN' is selected in the Company account overview, additional options now appear in the Change owner drop-down menu:

images/download/attachments/62866697/image2020-11-26_14-13-29-version-1-modificationdate-1612347978587-api-v2.png

In contrast to the first attempt (without company authorization), 'Smart Logistics AG' can now specify the company 'SL UK' as the owner of the company 'SL LDN'.

After clicking Save (in the Common tab in the ribbon) to confirm the change, 'SL UK' as Owner and parent company of the company 'SL LDN' will appear in the list.

images/download/attachments/62866697/image2020-11-26_14-16-34-version-1-modificationdate-1612347978580-api-v2.png

To further demonstrate the effect of company authorizations in terms of visibility, we now exclude all rights for Companies within the existing authorization.

The 'Companies' node highlighted and expanded in the image contains all the relevant permissions.

Deselecting the checkbox for the 'Companies' node will unlock all permissions listed below. This mechanism also applies to collapsed nodes

After clicking Save for this changed configuration, the company 'SL LDN' in the login context of 'Smart Logistics AG' no longer appears in the company overview (see image below).

The company 'SL LDN' is now owned by 'SL UK' and – according to the recently changed release – the latter explicitly no longer shares access to its company accounts with 'Smart Logistics AG'. Smart Logistics AG can still access the 'SL UK' as owner, but no longer access the company 'SL LDN' in its possession.

images/download/attachments/62866697/image2020-11-26_14-52-23-version-1-modificationdate-1612347978555-api-v2.png

If the company overview was already open before the authorization was changed, it must be updated by clicking Search in the ribbon (subcategory 'list'):

images/download/attachments/62866697/image2020-11-26_14-57-54-version-1-modificationdate-1612347978541-api-v2.png

Permission inheritance

In contrast to the previous example, a user who logs on with the role 'Administrator' in the context of 'Smart Logistics AG' will receive all authorizations for all directly and indirectly subordinate companies, i.e. the entire hierarchy.

Similar to the above procedure, it is possible to give explicit permission for 'Smart Logistics AG' at the top of the hierarchy, starting from any subordinate company in the company structure. In the example with only five affected companies, this approach may still seem feasible. However, it must be taken into account that every time the company structure is expanded by an additional company, the corresponding permissions must also be considered. Under practical conditions, significantly more extensive company hierarchies are often the case, so that the creation of explicit permissions for all relevant 1:1 relationships in the hierarchy quickly becomes too inefficient and confusing.

With the help of Permission inheritance, which supports Lobster Data Platform / Orchestration in the definition of company permissions, the definition of a single company permission is sufficient to fulfill the objective pursued here.

For this purpose, the definition of the already created permissions should be adjusted as follows:

'Smart Logistics AG' is selected here as the Permission granting company (1), even if this is the only company in the hierarchy from which no permission is to be granted. This selection defines only the top of a substructure of the company hierarchy to which the subsequently defined Permission inheritance is to apply. In the example the inheritance should apply to the entire company structure.

Under Permission inheritance (2), the option 'All children' is selected, since the permission should originate from all direct and indirect child companies.

The option Exclude permission granting company (3) is set, because the Permission granting company 'Smart Logistics AG' at the top of the hierarchy does not have to give itself any permissions.

Under Explicit grant (right), 'Smart Logistics AG' is selected as the recipient of permissions under Granted companies (4).

Option Activate? (5) must be checked, to enable the company authorization.

In the Permissions tab, the Mode (6) must be set to 'All', since 'Smart Logistics AG' should ge granted all permissions across the board. Existing individual settings below are disable but are stored and will be re-enabled in case the Mode (6) is switched back to 'Custom'.

Applied changes to the authorization must be confirmed by clicking Save (7).

images/download/attachments/62866697/image2020-11-27_7-54-59-version-1-modificationdate-1612347978500-api-v2.png

images/download/attachments/62866697/image2020-11-27_7-59-12-version-1-modificationdate-1612347978492-api-v2.png

The permissions that have just been set up provide an administrator operating on central level with unrestricted access to all child companies in the hierarchy below.

In more complex application cases, it is often required that administration can be carried out by different parties on different hierarchical levels for the respective child companies.

The existing permissions should therefore be adjusted accordingly:

The settings on the left side (Who is granting permissions?) for the Permission granting company (1), the Permission inheritance (2) and the Exclude permission granting company (3) option are kept unchanged, since the inheritance scheme ('entire hierarchy without top') should remain valid.

On the right side (To whom is the permission granted) the selection for Explicit grant (6) is removed and instead under Granting to hierarchy (4) the option 'Parents' is selected, so that each child company (see Who is granting permissions? on the left) gives permission to each parent company (in all levels). The option Limit to hierarchy (5) is set here as a precaution, although it has no effect in the existing hierarchical company structure. It is intended to prevent that granting permissions to the parent hierarchy (4) applies for companies outside the hierarchy below the Permission granting company (1). This exclusion would be relevant, for example, if the company 'SL Germany' referred to an additional parent company which is not a child of 'Smart Logistics AG'.

Option Active? (7) must be set to enable the authorization.

These changes have to be confirmed by clicking Save in the ribbon.

images/download/attachments/62866697/image2020-11-27_8-12-11-version-1-modificationdate-1612347978461-api-v2.png

On the basis of the last adjustment of the company authorization the following image results:

images/download/attachments/62866697/image2015-12-4_9_18_41-version-1-modificationdate-1612347979640-api-v2.png

The black arrows indicate the hierarchical relationship from the child to the parent company.
Green arrows indicate that a company grants permissions (here: 'all') to another company.

In the example scenario, each company can now act on behalf of directly and indirectly subordinate companies.

On this basis, the outstanding changes for the 'ownership' within the structure should now also be completed!

The result should be reflected in the company account overview as follows:

images/download/attachments/62866697/image2020-11-27_8-25-6-version-1-modificationdate-1612347978435-api-v2.png

Although 'Smart Logistics AG' only owns the subordinate companies 'SL Germany' and 'SL UK', their subordinate companies still appear in the overview.
For all listed companies the Owner matches the parent company.

►NOTE◄ A closer look reveals that the final statement does not apply for the company 'Smart Logistics AG' at the top of the hierarchy, which is owned by the 'Default Company'. Deleting the Owner of 'Smart Logistics AG' might sound useful, to perfectly align columns Owner and Parent companies. However, this is not recommended, since Lobster Data Platform / Orchestration treats entities without an owner as 'common property' for which no owner restrictions apply.

The access control mechanisms based on ownership and permissions, were demonstrated here exclusively with respect to Company accounts, but apply to most other entity types in Lobster Data Platform / Orchestration in the same way.

If created entities fail to appear as expected in lists or selection fields, it is very likely that company permissions or ownership must be adjusted.

► Continue with Creating external companies