Record Level Security
As well as requiring the usual permissions that allow a user to edit records (daEdit
for instance), two Security conditions must be met before a user can change Record Level Security settings for a record. The user must have (or be a member of a group that has):
- The
daSecurity
permission. Edit
permission for the record (theEdit
checkbox in the Permissions box must be ticked).
If a user does not have both of these permissions, the options in the Security box will be gr
Record Level Security permissions sit above the base operations permissions assigned to users / groups: even if a user / group is assigned a Record Level Security Edit
permission to a record, but they do not have the daEdit
permission, they will be unable to edit any record.
Note: Details for System Administrators about Registry settings for Record Level Security are available here.
Record Level Security provides organi
At its simplest it is possible to set permissions to control who can:
- View (Display) a record
- Edit a record
- Delete a record
For instance, it is possible to specify that Everyone can view all Parties records but only managers of each department are able to edit and delete the records of staff members in their department. In the following example, Everyone is able to view the current record (they have the Display
permission), but only members of group Registrations are able to edit and delete this record (the Edit
and Delete
permissions are enabled for group Registrations but disabled for group Everyone):
With the (Record Level) Security Registry entry however it is possible to manage permissions dynamically so that a user / group's Display
, Edit
and Delete
permissions for a record are conditional upon a value entered in a field (any field) in the module.
In the example above, we have manually:
- Changed the permissions of group Everyone, allowing members to
Display
the record but not toEdit
orDelete
it.-AND-
- Added the Registrations group to the Security box, providing members with
Edit
andDelete
permissions to this record.
With the Security Registry entry it is possible to specify that:
- Members of group Registrations are only able to edit and delete a record if the Department field holds the value
Registrations
(in other words, they can only edit and delete their own records)-AND-
- When members of group Registrations add a new record:
- Permissions for group Everyone are limited to
Display
- Permissions for group Registrations are set to
Display
,Edit
andDelete
- The Department field is populated with the value
Registrations
- Permissions for group Everyone are limited to
In this way, whenever the value in the Department field is updated to hold the value Registrations
(whether manually or when a new record is added by members of group Registrations), all users will be able to view the record but only members of group Registrations will be able to edit and delete it.
Another useful example of the dynamism inherent to the Security Registry entry is to control who can view, edit and / or delete a record based on a Record Status for instance. If Record Status changes from, say, Active
to Retired
, permissions can be changed dynamically to hide the record from certain groups of users.
Note:
Any field in a module can be used to set conditions when applying Record Level Security. See How to refine Record Level Security by specifying conditional criteria for details about refining the three standard security permissions (Display
, Edit
, Delete
).
It is also possible to search for records based on the Record Level Security permissions assigned to users and groups. If a user or group has been removed from
Security settings can be set on:
- A per user basis: User A can view but not edit a record for instance.
- A per group basis: Group A can View, Edit and Delete a record.
- On one record at a time.
- On multiple records at a time using the Set Record Security batch update tool.
Record Level Security is available in all modules except Field Level Help and is applied on a module's Security tab:
Applying security settings to a record is a simple matter of:
- Searching for the record.
- Adding or removing a user or group from the Security box on the Security tab.
- Ticking / unticking the appropriate permissions in the Permissions box.
In the example above, group Everyone can Display
, Edit
and Delete
this record.
The minimum permission for a user / group is Display
: in practice this means that when a user / group is added to the Security box, the Display
checkbox is grDisplay
, remove the user / group from the Security box. As we see below, users inherit permissions from the groups to which they belong. All users, for instance, are members of group Everyone: if group Everyone is added to the Security box and it has Edit
permission enabled, then all users inherit the Edit
permission for that record.