How to refine Record Level Security by specifying conditional criteria
It is possible to control the access (display, edit and delete) of users / groups to individual records based on the value in a field.
With the Security Registry entry it is possible to associate:
- A user / group, e.g. Trainers
- With a permission, e.g. Delete
- And a value in any field, e.g. Department=Training
With these example settings: members of the Trainers group will be able to delete any record where the value in Department=Training.
Note:
- The user / group can be any user or group.
- The permission can be Display, Edit, Delete or the special permission, Insert.
- Any field and value combination can be used as the condition.
See Security Registry entry for full details.
For example, an institution decides that while everyone should be able to view all staff records in the Parties module, only managers should be able to edit and delete staff records. We would need to ensure that:
- Existing staff records are updated with the appropriate values:
- Permissions are set: Display for group Everyone; and Edit and Delete for members of group Managers:
Tip: You could use the Set Record Security batch update tool to assign these Security permissions to existing records.
-AND-
- The Value in the Department field is set to Managers.
Tip: The Global Replace tool could be used to batch update the value in the Department field.
Staff records should have the following Security permissions and value in the Department field:
- Permissions are set: Display for group Everyone; and Edit and Delete for members of group Managers:
- As new staff records are added, the appropriate permissions and values are automatically set.
See Security Registry entry for details about how these security settings are configured.