How to refine Record Level Security by specifying conditional criteria

In the following example we look at how to limit access to a department's records to members of that department. The theory is identical when controlling who can access a record based on a value in the Record Status: (Access) field, or any other field for that matter.

A museum decides that while all curators should be able to view every record in the Catalog module, only curators for each discipline (e.g. Fine Arts, Ceramics, etc.) should be allowed to edit and delete their department's records.

For this example we would need to ensure that:

  • Existing records for each discipline are updated with the appropriate values:
    • Permissions are set: Display for group Everyone; and Edit and Delete for members of the group to which the record belongs.

      -AND-

    • The Value in the Department field is set to the name of the relevant department, e.g. Fine Arts, Ceramics.

    For instance, any Catalog records belonging to the Fine Arts group should have the following permissions and value in the Department field:

    Note: Using the Set Record Security batch update tool it is a simple matter to assign these permissions to existing records.

    In order for members of group Fine Arts to edit / delete this record, two Security conditions must be met:

    • The Fine Arts group must be added to the Security box and must have Edit and Delete permissions.

      Note: This is necessary because we have removed the Edit and Display permissions from group Everyone (we don't want everyone to be able to edit or delete this record): if the only group added to the Security box is group Everyone, members of group Fine Arts will only inherit the Display permission.

    • The value in the Department field must be Fine Arts.

      Note: Although the Set Record Security batch update tool cannot be used to batch update the Department field, the Global Replace tool can.

    • As new records are added by members of a group, the appropriate permissions and values are automatically set.

      Note: See (Record Level) Security Registry entry for details of how to refine Record Level Security. The Security Registry entries required for this example can be found here.