Acumatica security measures allow isolating users within tenants and branches so that a user can naturally stay constrained to data related to their own branch or branches. For example, a branch can be given an access role. By giving a user access (or not) to that role, access to that branch’s data can be restricted to only authorized users. But what happens if a user needs to search data contained within other branches without having actual access to those branches?
Fortunately for developers, Acumatica has provided a scope that disables branch restrictions for all code executed within the scope. To leverage this feature, encapsulate the code with using(new PXReadBranchRestrictedScope()) { }
In the following code sample, GlobalSearchFilter is a DAC with the string fields Descr1, Descr2, and Descr3. GlobalItem is a PXProjection that consolidates data across multiple branches, providing access to InventoryItem information as well as Availability as stored in INSiteStatus. When the projection is run as a user constrained to a single branch, only availability within that branch is returned. However, by populating the view explicitly in a view delegate and encapsulating the code in PXReadBranchRestrictedScope, the PXProjection is allowed to return availability data for all warehouses regardless of branch restrictions.
Alternative – PXLoginScope
In some cases, use of PXLoginScope may be desired instead as that will execute the code as a particular user (such as admin). This approach is great for performing actions programmatically that a user may not have access to perform themselves. However, do not be fooled by the name of the scope. While the login scope seems like it would allow logging in on a different tenant to retrieve results for a truly global search, this is not the case. Being executed from within Acumatica, the database calls are still restricted to the current CompanyID which means that either method will only work for accessing data within a single tenant.
Happy Coding!