How do Organization Access and User Assignment work in iDempiere

It provides a controlled and secure way to decide which organizations a user can access and which users operate under a specific role.

In iDempiere, these two concepts Organization Access and User Assignment work together to ensure that users see only the data and functions relevant to their responsibilities in iDempiere.

Controlling organization access through a role

Organization access is configured at the role level. When defining a role, the administrator specifies whether the role

• Can access a single organization or multiple organizations
• Has access to only assigned organizations or all organizations under the client

Only the organizations enabled in the role become visible during login and data entry. Even if a user belongs to multiple organizations, they cannot access data outside the scope defined by their role.

Assigning users to a role

Users are linked to roles through user assignment. When a role is assigned to a user

• The user inherits all permissions, organization access, and data visibility rules of that role
• Menu structure, accessible windows, and reports are dynamically adjusted at login

A single user can have multiple roles, allowing them to switch responsibilities without duplicating user records.

Managing users under a role

User assignment is not static, Administrators can

• Add or remove users from a role at any time
• Temporarily disable role access without deleting the user
• Assign different roles for operational work and reporting purposes

These changes take effect immediately, ensuring quick control over access during role changes or organizational restructuring.

By combining Organization Access and User Assignment at the role level, iDempiere delivers precise control over who can access which organizations and under what role. This design supports scalable, secure operations across multi-organization and project-driven environments while keeping administration simple and transparent.