(Record Level) Security Registry entry

Refine the three standard Record Level Security permissions, Display, Edit, Delete, and apply the special Insert Record Level Security permission.

Note: To modify Record Level Security settings a user must have (or be a member of a group that has) the daSecurity permission .

Description

Record Level Security provides organisations with control over access to records on a per user and per group basis.

At its simplest it is possible to set permissions that determine who can view, edit and delete records. However, by specifying additional criteria it is possible to refine these three standard security privileges. For instance, it is possible to specify that:

Records with a Record Status: (Access) of Retired cannot be viewed by a certain group of users.
Note: Any field in a module can be used to set conditions when applying Record Level Security.
Only members of a department can edit and delete that department's records.

The Security Registry entry is used to refine the three standard Record Level Security permissions, Display, Edit, Delete, and also to apply the special Insert Record Level Security permission.

It is worth stressing that a Security Registry refines the Display, Edit and Delete permissions that a user / group has to a record, it does not replace the necessity to add the user (or a group to which the user belongs) to the Security box on the Security tab for that record and to specify permissions in the Permissions box. In other words, a Security entry that gives a user / group the Edit permission to a record when Record Status is Active, is only effective if the user (or a relevant group to which the user belongs) has been added to the Security box on the Security tab for that record and the Edit checkbox is ticked.

Even if a Security Registry entry is added to allow members of group Curators to edit records in the Parties module when Record Status: (Access) = Active, members of group Curators will be unable to edit the following record:

It is necessary to add group Curators to the Security box and provide it with the Edit permission:

Usage

This Registry entry can be assigned to users and groups:

Key	User	User	Group	Group	Group	Group
Key 1	`User`	`User`	`Group`	`Group`	`Group`	`Group`
Key 2	user	user	group	group	`Default`	`Default`
Key 3	`Table`	`Table`	`Table`	`Table`	`Table`	`Table`
Key 4	table	`Default`	table	`Default`	table	`Default`
Key 5	`Security`
Key 6	permission
Value	value;value;...

In pipe-delimited format:

`User`	user	`Table`	table	`Security`	permission	value;value;...
`User`	user	`Table`	`Default`	`Security`	permission	value;value;...
`Group`	group	`Table`	table	`Security`	permission	value;value;...
`Group`	group	`Table`	`Default`	`Security`	permission	value;value;...
`Group`	`Default`	`Table`	table	`Security`	permission	value;value;...
`Group`	`Default`	`Table`	`Default`	`Security`	permission	value;value;...

where:

permission

specifies the permission to refine, i.e. Display, Edit or Delete.

permission can also be Insert, a special value that can be used to set permissions for a user / group and to populate a field with a value when a record is added by the user / group. See Example 2 below.

value;value;...

is a semicolon separated list of conditions that must be met for the permission to apply. This is in the format: column=value

e.g. SecRecordStatus=Active

It is also possible to embed the user / group name of the currently logged in user (stored by EMu as $user and $group) in security values. Using these variables, security may be adjusted on a per user / group basis depending on one or more user / group names stored in the data. See Example 2 below.

Note: When referencing an attachment field in a Security Registry entry, it is necessary to use a field's Link Column name and a record's IRN. See Example 3 below.

Examples

Example - use case

A museum decides that all curators should be able to view every record in the Catalogue module, but only curators for each discipline (e.g. Fine Arts, Ceramics, etc.) should be allowed to edit and delete their department's records.

In this example we restrict records to members of the following groups:

Fine Arts Curators
Ceramics Curators

Suitable Registry entries are:

Group Fine Arts Curator Table ecatalogue Security Edit SecDepartment_tab= Fine Art

This entry specifies that members of group Fine Arts Curators are able to edit records in the Catalogue module when the Department field on the Security tab holds the value Fine Arts.

Group Fine Arts Curator Table ecatalogue Security Delete SecDepartment_tab= Fine Art

This entry specifies that members of group Fine Arts Curators are able to delete records in the Catalogue module when the Department field on the Security tab holds the value Fine Arts.

Group Fine Arts Curator Table ecatalogue Security Insert SecDepartment_tab=Fine Art; SecCanDisplay=Group Default; SecCanDisplay=Group $group; SecCanEdit=Group $group; SecCanDelete=Group $group

This entry specifies that when members of group Fine Arts Curators add a record to the Catalogue module, the Department field on the Security tab is populated with the value Fine Arts and permissions are set which allow everyone to view the record but only members of group Fine Arts Curators to edit and delete the record.

Group Ceramics Curators Table ecatalogue Security Edit SecDepartment_tab=Ceramics

This entry specifies that members of group Ceramics Curators are able to edit records in the Catalogue module when the Department field on the Security tab holds the value Ceramics.

Group Ceramics Curators Table ecatalogue Security Delete SecDepartment_tab=Ceramics

This entry specifies that members of group Ceramics Curators are able to delete records in the Catalogue module when the Department field on the Security tab holds the value Ceramics.

Group Ceramics Curators Table ecatalogue Security Insert SecDepartment_tab=Ceramics; SecCanDisplay=Group Default; SecCanDisplay=Group $group; SecCanEdit=Group $group; SecCanDelete=Group $group

This entry specifies that when members of group Ceramics Curators add a record to the Catalogue module, the Department field on the Security tab is populated with the value Ceramics and permissions are set which allow everyone to view the record but only members of the Ceramics Curators group to edit and delete the records.

When these entries have been set in the Registry module, all that remains is to apply these settings to existing records in the Catalogue module:

In the Catalogue module, locate all Fine Arts records.
Add group Fine Arts Curators to the Security box on the Security tab and give the group Edit and Delete permissions.
Uncheck all but the Display permission for the Everyone group.
Use the Set Record Security batch update tool to apply these settings to all Fine Arts records.
Use the Global Replace tool to insert the value Fine Arts in the Department field on the Security tab for all records found in your search.
Now when Curators in the Fine Arts Department log in, they will have edit and delete permissions for these Fine Arts records; other users will be able to view them but not edit or delete them.
Repeat steps 1 to 5 for group Ceramics.

Example 1

This Registry entry allows members of group Curators to view records in the Parties module only when Record Status: (Access) = Active:

Key	Setting	Description
Key 1	`Group`
Key 2	`Curators`
Key 3	`Table`
Key 4	`eparties`
Key 5	`Security`
Key 6	`Display`	Type of permission: `Display`, `Edit`, `Delete`, `Insert`.
Value	`SecRecordStatus=Active`	The condition that must be met for the permission to apply. In this case, if Record Status is set to `Active`, members of group Curators will be able to view the record. If Record Status is anything other than `Active`, members of group Curators will be unable to view the record. Note: Any field can be used to set a security permission. Multiple values (multiple conditions) can be set here.

In this example:

Group Everyone can display, edit and delete the following record in the Parties module.
Record Status: (Access) is set to Active:

When a member of group Curators logs in and searches for this record, the record is returned and the user has inherited the permissions of group Everyone (they can edit and delete the record).

If Record Status: (Access) is changed from Active to Retired, and a member of group Curators searches for this record, the record will not be located:

Even if group Curators is added to the Security box for this record:

members of group Curators will not be able to display the record unless Record Status: (Access) is set to Active.

Note that it is not necessary to add group Curators to the Security box as long as group Everyone is listed in the Security box: members of group Curators inherit the permissions of any other group to which they belong, which by default includes group Everyone. If the above Security Registry has been set and a record has the following security values, members of group Curators will be able to view, edit and delete the record even though group Curators has not been added to the Security box:

However, if we take away the Edit and Delete permissions from group Everyone:

and wish to provide group Curators with the ability to edit records where Record Status: (Access) = Active, then it is necessary to add group Curators to the Security box and provide it with the Edit permission:

Example 2

When members of group Curators add a new record to the Parties module, the Department field on the Security tab is populated with Curators:

Key	Setting
Key 1	`Group`
Key 2	`Curators`
Key 3	`Table`
Key 4	`eparties`
Key 5	`Security`
Key 6	`Insert`
Value	`SecDepartment_tab=Curators`

The following entry not only inserts a value in the Department field when group Curators adds a record to the Parties module, it also specifies the security permissions for group Everyone and the current group (Curators) using the $group variable:

Key	Setting
Key 1	`Group`
Key 2	`Curators`
Key 3	`Table`
Key 4	`eparties`
Key 5	`Security`
Key 6	`Insert`
Value	`SecDepartment_tab=Curators;SecCanDisplay=GroupDefault;SecCanDisplay=Group $group;SecCanEdit=Group $group;SecCanDelete=Group $group`

Example 3

When specifying an attachment field in a Security Registry entry, the value must be:

The field's Link Column name, not its column name.
-AND-
A record's IRN.

For example, if referencing the Party: (Associated With) field in a Security Registry entry, we would use AssAssociationRef_tab and not AssAssociation_tab:

A suitable Security Registry entry referencing an attachment field would be:

Key	Setting
Key 1	`Group`
Key 2	`Curators`
Key 3	`Table`
Key 4	`eparties`
Key 5	`Security`
Key 6	`Display`
Value	`AssAssociationRef_tab=6`

➤