Record Level Security (RLS)
See Important: Record Level Security permissions for details about who can set Record Level Security settings on a record and what permissions are required.
Record Level Security provides control over who can do what to records on a per user and per group basis. At its simplest it is possible to set permissions to control who can:
- View (Display) a record
- Edit a record
- Delete a record
These permissions are applied to a record on the Security tab (available in all modules except Field Level Help).
With Record Level Security it is possible, for example, to specify that Everyone can view all Parties records but only managers of each department are able to edit and delete the records of staff members in their department. In the following example, Everyone is able to view the current record (they have the Display permission), but only members of group Managers are able to edit and delete this record (the Edit and Delete permissions are disabled for group Everyone but enabled for group Managers):
Applying security settings to a record is a simple matter of:
- Searching for the record.
- Adding or removing a user or group from the Security box on the Security tab.
- Ticking / unticking the appropriate permissions in the Permissions box.
The minimum permission for a user / group is Display: in practice this means that when a user / group is added to the Security box, the Display checkbox is uneditable. To remove all permissions for a user / group, including Display, remove the user / group from the Security box.
Users inherit permissions from the groups to which they belong. All users, for instance, are a member of group Everyone: if group Everyone is added to the Security box and it has Edit permission enabled, then all users inherit the Edit permission for that record. This is explained in more detail here.
Security settings can be set on:
- A per user basis: User A can view but not edit a record for instance.
- A per group basis: Group A can View, Edit and Delete a record.
- On one record at a time.
- On multiple records at a time using the Set Record Security batch update tool.
It is also possible to search for records based on the Record Level Security permissions assigned to users and groups. If a user or group has been removed from EMu, it is possible to locate records for which they had permissions assigned by using the Security (Direct) fields.
Dynamic Record Level Security
So far we've described a fairly static and manual application of Record Level Security permissions.
With the (Record Level) Security Registry entry however it is possible to manage permissions dynamically so that a user / group's Display, Edit and Delete permissions for a record are conditional upon a value entered in a field in the module.
In the example above, we manually:
- Changed the permissions of group Everyone, allowing members to Display the record but not to Edit or Delete it.
-AND-
- Added the Managers group to the Security box, providing members with Edit and Delete permissions to this record.
With the Security Registry entry it is possible to specify that:
- Members of group Managers are only able to edit and delete a record if the Department field holds the value Managers
-AND-
- When members of group Managers add a new record:
- Permissions for group Everyone are limited to Display.
- Permissions for group Managers are set to Display, Edit and Delete.
- The Department field is populated with the value Managers.
In this way, whenever the value in the Department field is updated to hold the value Managers (whether manually or when a new record is added by members of group Managers), all users will be able to view the record but only members of group Managers will be able to edit and delete it.
Another useful example of the dynamism of the Security Registry entry is to control who can view, edit and / or delete a record based on a Record Status for instance. If Record Status changes from Active to Retired, permissions can be changed dynamically to hide the record from certain groups of users.
Note: Any field in a module can be used to set conditions when applying Record Level Security. See How to refine Record Level Security by specifying conditional criteria for details about refining the three standard security permissions (Display, Edit, Delete).