WF-114: Multi-OpUnit Access Assignment
Workflow ID: WF-114 Category: Access Management Priority: P1 Last Updated: January 11, 2026
Overview
This workflow handles assigning users to multiple Operating Units (OpUnits) with appropriate cross-unit permissions and consolidated dashboard views.
Trigger Events
- Admin assigns user to additional OpUnit
- User transfer between OpUnits
- Cross-functional team creation
- Temporary OpUnit access grant
Sequence Diagram
Process Steps
1. Assignment Request
Admin Actions:
- Navigate to User Management
- Select user to assign
- Choose target OpUnit(s)
- Select role within OpUnit
- Set access duration (permanent/temporary)
Available Roles per OpUnit:
| Role | Access Level | Cross-OpUnit View |
|---|---|---|
| Viewer | Read-only | Own data only |
| Member | Read-write | Own data only |
| Manager | Full access | Team data |
| Admin | Administrative | All OpUnit data |
2. Permission Resolution
Cross-OpUnit Permission Matrix:
OpUnit A (Viewer) + OpUnit B (Manager) = Consolidated Access
├── OpUnit A: Read-only resources
├── OpUnit B: Full management
└── Cross-view: Aggregated reports (Manager level)
Permission Merge Rules:
| Scenario | Result |
|---|---|
| Same resource, different levels | Higher level wins |
| Conflicting deny rules | Deny takes precedence |
| Cross-OpUnit reports | Based on highest role |
3. Dashboard Configuration
Consolidated View Setup:
{
"user_id": "usr_123",
"opunit_assignments": [
{
"opunit_id": "op_sales",
"role": "manager",
"granted_at": "2026-01-11"
},
{
"opunit_id": "op_engineering",
"role": "viewer",
"granted_at": "2026-01-11"
}
],
"consolidated_view": {
"enabled": true,
"default_opunit": "op_sales",
"switcher_visible": true
}
}
4. Cross-OpUnit Features
Available Features:
| Feature | Description |
|---|---|
| OpUnit Switcher | Quick switch between assigned OpUnits |
| Consolidated Reports | Aggregate data across OpUnits |
| Unified Search | Search resources across all OpUnits |
| Cross-OpUnit Tasks | Tasks spanning multiple OpUnits |
5. Visibility Rules
Data Isolation:
| User Role | Can See |
|---|---|
| Single OpUnit | Only that OpUnit's data |
| Multi OpUnit (Viewer) | Read-only in each |
| Multi OpUnit (Manager) | Full access per assignment |
| Cross-OpUnit Admin | All data, all OpUnits |
API Endpoints
| Endpoint | Method | Purpose |
|---|---|---|
/api/v1/users/{id}/opunits | GET | List user's OpUnits |
/api/v1/users/{id}/opunits | POST | Add OpUnit assignment |
/api/v1/users/{id}/opunits/{opunit_id} | PUT | Update assignment |
/api/v1/users/{id}/opunits/{opunit_id} | DELETE | Remove assignment |
Request: Add Assignment
POST /api/v1/users/usr_123/opunits
{
"opunit_id": "op_engineering",
"role": "viewer",
"access_type": "permanent",
"permissions": {
"view_resources": true,
"export_data": false,
"manage_team": false
}
}
Response
{
"assignment_id": "assign_456",
"user_id": "usr_123",
"opunit_id": "op_engineering",
"role": "viewer",
"status": "active",
"effective_from": "2026-01-11T00:00:00Z",
"consolidated_permissions": {
"total_opunits": 2,
"highest_role": "manager",
"cross_opunit_view": true
}
}
Notifications
To User
Subject: You've been assigned to [OpUnit Name]
Content:
- OpUnit name and description
- Assigned role
- Available features
- How to switch between OpUnits
To OpUnit Admin
Subject: New team member in [OpUnit Name]
Content:
- User details
- Role assignment
- Effective date
Error Handling
| Error | Cause | Resolution |
|---|---|---|
OPUNIT_NOT_FOUND | Invalid OpUnit ID | Verify OpUnit exists |
ROLE_NOT_ALLOWED | Role exceeds admin scope | Escalate to higher admin |
SEAT_LIMIT_EXCEEDED | OpUnit at capacity | Purchase more seats |
CONFLICT_ASSIGNMENT | User already assigned | Update existing assignment |
Audit Events
| Event | Logged |
|---|---|
opunit.user.assigned | User ID, OpUnit ID, Role, Admin ID |
opunit.user.role_changed | Old role, New role, Reason |
opunit.user.removed | User ID, OpUnit ID, Reason |
opunit.permissions.merged | User ID, Consolidated permissions |
Related Workflows
Last Updated: January 11, 2026