Data security policy aggregation between two different roles
Summary:
Hi,
We’re facing a security policy issue where a user is assigned both the Accounts Payable Manager and Accounts Receivable Manager roles, each associated with a different Business Unit.
The data access of this user looks like this:
Accounts payable manager, Business unit = X
Accounts receivable manager, Business unit = Y
However, I've noticed that when the user accesses a task like Manage Payables Invoices, he can select both Business Units X and Y.
This appears to be due to a mutual DSP (Data Security Policy) that grants access to both units.
Do you have any suggestions on how we can prevent this from happening?