Scenario 2: Company with multiple separate divisions
Your company has two business divisions, Eastern and Western, that do not share data between them. Within each division, people performing different functions need to access the same objects (campaigns, offers, templates), but with differing permissions to act on these objects, depending on their role.
Solution
Define two separate security policies, each with the appropriate roles and permissions. The roles in each security policy can be the same or different, depending on the needs of each division. Except for individuals who need to work across both divisions (for example, the controller, cross-divisional managers, or the CEO), assign each user to a role within only one policy. Do not assign any role to the users in the global policy. For users that work across both divisions, assign them a role in the global policy and grant them the desired permissions.
Create top-level folders that belong to each policy, to hold campaigns, offers, and so on. These folders are specific to each division. Users with roles in one policy cannot see the objects belonging to the other policy.
The following tables show only a sample subset of the possible object permissions in
Campaign
.
Eastern Division Security Policy
Functions/Role
Folder Owner
Object Owner
Manager
Designer
Reviewer
Campaigns
Add Campaigns
Edit Campaigns
Delete Campaigns
View Campaign Summary
Offers
Add Offers
Edit Offers
Delete Offers
View Offer Summary
Western Division Security Policy
Functions/Role
Folder Owner
Object Owner
Manager
Designer
Reviewer
Campaigns
Add Campaigns
Edit Campaigns
Delete Campaigns
View Campaign Summary
Offers
Add Offers
Edit Offers
Delete Offers
Add Campaigns
Copyright IBM Corporation 2015. All Rights Reserved.
