Record Level Security

As well as requiring the usual permissions that allow a user to edit records (daEdit for instance), two Security conditions must be met before a user can change Record Level Security settings for a record. The user must have (or be a member of a group that has):

  1. The daSecurity permission.
  2. Edit permission for the record (the Edit checkbox in the Permissions box must be ticked).

If a user does not have both of these permissions, the options in the Security box will be greyed out and uneditable:

mod_parties_security_tab_uneditable_emu.gif

Record Level Security permissions sit above the base operations permissions assigned to users / groups: even if a user / group is assigned a Record Level Security Edit permission to a record, but they do not have the daEdit permission, they will be unable to edit any record.

Note: Details for System Administrators about Registry settings for Record Level Security are available here.

Record Level Security provides organisations with control over who can do what to records on a per user and per group basis.

At its simplest it is possible to set permissions to control who can:

  1. View (Display) a record
  2. Edit a record
  3. Delete a record

For instance, it is possible to specify that Everyone can view all Parties records but only managers of each department are able to edit and delete the records of staff members in their department. In the following example, Everyone is able to view the current record (they have the Display permission), but only members of group Registrations are able to edit and delete this record (the Edit and Delete permissions are enabled for group Registrations but disabled for group Everyone):

mod_parties_security7_emu.gif

With the (Record Level) Security Registry entry however it is possible to manage permissions dynamically so that a user / group's Display, Edit and Delete permissions for a record are conditional upon a value entered in a field (any field) in the module.

In the example above, we have manually:

  • Changed the permissions of group Everyone, allowing members to Display the record but not to Edit or Delete it.

    -AND-

  • Added the Registrations group to the Security box, providing members with Edit and Delete permissions to this record.

With the Security Registry entry it is possible to specify that:

  • Members of group Registrations are only able to edit and delete a record if the Department field holds the value Registrations (in other words, they can only edit and delete their own records)

    -AND-

  • When members of group Registrations add a new record:
    • Permissions for group Everyone are limited to Display
    • Permissions for group Registrations are set to Display, Edit and Delete
    • The Department field is populated with the value Registrations

In this way, whenever the value in the Department field is updated to hold the value Registrations (whether manually or when a new record is added by members of group Registrations), all users will be able to view the record but only members of group Registrations will be able to edit and delete it.

Another useful example of the dynamism inherent to the Security Registry entry is to control who can view, edit and / or delete a record based on a Record Status for instance. If Record Status changes from, say, Active to Retired, permissions can be changed dynamically to hide the record from certain groups of users.

Note: Any field in a module can be used to set conditions when applying Record Level Security. See How to refine Record Level Security by specifying conditional criteria for details about refining the three standard security permissions (Display, Edit, Delete).

It is also possible to search for records based on the Record Level Security permissions assigned to users and groups. If a user or group has been removed from EMu, it is still possible to locate records for which they had permissions assigned by using the Security (Direct) fields, which are available in Search mode.

Security settings can be set on:

  • A per user basis: User A can view but not edit a record for instance.
  • A per group basis: Group A can View, Edit and Delete a record.
  • On one record at a time.
  • On multiple records at a time using the Set Record Security batch update tool.

Record Level Security is available in all modules except Field Level Help and is applied on a module's Security tab:

mod_parties_security_tab_emu.gif

Applying security settings to a record is a simple matter of:

  1. Searching for the record.
  2. Adding or removing a user or group from the Security box on the Security tab.
  3. Ticking / unticking the appropriate permissions in the Permissions box.

In the example above, group Everyone can Display, Edit and Delete this record.

The minimum permission for a user / group is Display: in practice this means that when a user / group is added to the Security box, the Display checkbox is greyed out and uneditable. To remove all permissions for a user / group, including Display, remove the user / group from the Security box. As we see below, users inherit permissions from the groups to which they belong. All users, for instance, are members of group Everyone: if group Everyone is added to the Security box and it has Edit permission enabled, then all users inherit the Edit permission for that record.

Related Topics Link IconRelated Topics