Refine the three standard Record Level Security permissions, Display, Edit, Delete, and apply the special Insert permission.
Note: See Important: Record Level Security permissions for details about who can set Record Level Security settings on a record and what permissions are required.
Description
Record Level Security provides control over who can do what to records on a per user and per group basis. At its simplest it is possible to set permissions to control who can:
- View (Display) a record
- Edit a record
- Delete a record
However, by specifying additional criteria it is possible to refine these three standard security privileges. For example, it is possible to specify that:
- Records with a Record Status of Retired cannot be viewed by a certain group of users.
Note: Any field in a module can be used to set conditions when applying Record Level Security.
- Only members of a department can edit and delete that department's records.
Example
It is possible to associate:
- A user / group, e.g. Trainers
- With a permission, e.g. Delete
- And a value in any field, e.g. Department=Training
With these example settings: members of the Trainers group will be able to delete any record where the value in Department=Training.
Note:
- The user / group can be any user or group.
- The permission can be Display, Edit, Delete or the special permission, Insert.
- Any field and value combination can be used as the condition.
The Security Registry entry is used to refine the three standard Record Level Security permissions, Display, Edit, Delete, and to apply the special Insert permission.
It is worth stressing that a Security Registry refines the Display, Edit and Delete permissions that a user / group has to a record, it does not replace the necessity to add the user (or a group to which the user belongs) to the Security box on the Security tab for that record and to specify permissions in the Permissions box. In other words, a Security entry that gives a user / group the Edit permission to a record when Record Status is Active, is only effective if the user (or a relevant group to which the user belongs) has been added to the Security box on the Security tab for that record and the Edit checkbox is ticked.
Even if a Security Registry entry is added to allow members of group Managers to edit records in the Parties module when Record Status: (Access) = Active, members of group Managers will be unable to edit the following record:
It is necessary to add group Managers to the Security box and provide it with the Edit permission:
Understanding the Permissions checkboxes
|
Checkbox |
Description |
|---|---|
|
|
A permission inherited from another group. Faded and uneditable. To change this permission for the selected user / group, change it in the group from which it has been inherited. |
|
|
A permission assigned to this user / group. This permission can be unassigned by clicking the checkbox. |
|
|
An unassigned permission. Can be assigned to this user / group. |
Usage
This Registry entry can be assigned to users and groups:
| Key | User | User | Group | Group | Group | Group |
|---|---|---|---|---|---|---|
| Key 1 | User
|
User
|
Group
|
Group
|
Group
|
Group
|
| Key 2 | user | user | group | group | Default
|
Default
|
| Key 3 | Table
|
Table
|
Table
|
Table
|
Table
|
Table
|
| Key 4 | table | Default
|
table | Default
|
table | Default
|
| Key 5 | Security
|
|||||
| Key 6 | permission | |||||
| Value | value;value;... | |||||
In pipe-delimited format:
User
|
user | Table
|
table | Security
|
permission | value;value;... |
User
|
user | Table
|
Default
|
Security
|
permission | value;value;... |
Group
|
group | Table
|
table | Security
|
permission | value;value;... |
Group
|
group | Table
|
Default
|
Security
|
permission | value;value;... |
Group
|
Default
|
Table
|
table | Security
|
permission | value;value;... |
Group
|
Default
|
Table
|
Default
|
Security
|
permission | value;value;... |
where:
|
permission |
specifies the permission to refine, i.e. Display, Edit or Delete. permission can also be Insert, a special value that can be used to set permissions for a user / group and to populate a field with a value when a record is added by the user / group. See Example 2 below. |
|
value;value;... |
is a semicolon separated list of conditions that must be met for the permission to apply. This is in the format: column=value e.g. SecRecordStatus=Active It is also possible to embed the user / group name of the currently logged in user (stored by EMu as $user and $group) in security values. Using these variables, security may be adjusted on a per user / group basis depending on one or more user / group names stored in the data. See Example 2 below. Note: When referencing an attachment field in a Security Registry entry, it is necessary to use a field's Link Column name and a record's IRN. See Example 3 below. |
Examples
Example - use case
An institution decides that all staff should be able to view every record in the Parties module, but only managers should be allowed to edit and delete staff records.
Suitable Registry entries are:
| 1. |
This entry specifies that members of group Managers are able to edit records in the Parties module when the Department field on the Security tab holds the value Personnel. |
|||||||
| 2. |
This entry specifies that members of group Managers are able to delete records in the Parties module when the Department field on the Security tab holds the value Personnel. |
|||||||
| 3. |
This entry specifies that when members of group Managers add a record to the Parties module, the Department field on the Security tab is populated with the value Personnel and permissions are set which allow everyone to view the record but only members of group Managers to edit and delete the record. |
When these entries have been set in the Registry module, all that remains is to apply these settings to existing records in the Parties module:
- In the Parties module, locate all staff records.
- Add group Managers to the Security box on the Security tab and give the group Edit and Delete permissions.
- Untick all but the Display permission for group Everyone.
- Use the Set Record Security batch update tool to apply these settings to all staff records.
- Use the Global Replace tool to insert the value Personnel in the Department field on the Security tab for all staff records.
Now when Managers log in, they will have edit and delete permissions for these staff records; other users will be able to view them but not edit or delete them.
Example 1
This Registry entry allows members of group Casual Staff to view records in the Parties module only when Record Status: (Access) = Active:
| Key | Setting | Description |
|---|---|---|
| Key 1 | Group
|
|
| Key 2 | Casual Staff | |
| Key 3 | Table
|
|
| Key 4 | eparties
|
|
| Key 5 | Security
|
|
| Key 6 | Display
|
Type of permission: Display, Edit, Delete, Insert. |
| Value | SecRecordStatus=Active |
The condition that must be met for the permission to apply. In this case, if Record Status is set to Active, members of group Casual Staff will be able to view the record. If Record Status is anything other than Active, members of group Casual Staff will be unable to view the record. Note: Any field can be used to set a security permission. Multiple values (multiple conditions) can be set here. |
In this example:
- Group Everyone can display and edit the following record in the Parties module.
- Record Status: (Access) is set to Active:
When a member of group Casual Staff logs in and searches for this record, the record is returned. The user has inherited the permissions of group Everyone (they can edit the record and are unable to delete it).
Note: It is not necessary to add group Casual Staff to the Security box as long as group Everyone is listed in the Security box: members of group Casual Staff inherit the permissions of any other group to which they belong, which by default includes group Everyone.
If Record Status: (Access) is changed from Active to Retired however and a member of group Casual Staff searches for this record, the record will not be located and they will receive the following message:
Even if group Casual Staff is added to the Security box for this record, members of the group will not be able to display the record while Record Status: (Access) is not set to Active:
Keep in mind that if we were to take away the Edit permission from group Everyone, group Casual Staff will also lose the ability to edit the record. In this case it would be necessary to add group Casual Staff to the Security box and assign them the Edit permission:
Example 2
When members of group Managers add a new record to the Parties module, the Department field on the Security tab is automatically populated with the value Managers:
| Key | Setting |
|---|---|
| Key 1 | Group
|
| Key 2 | Managers
|
| Key 3 | Table
|
| Key 4 | eparties
|
| Key 5 | Security
|
| Key 6 | Insert
|
| Value | SecDepartment_tab=Managers
|
The following entry not only inserts a value in the Department field when group Managers adds a record to the Parties module, it also specifies the security permissions for group Everyone and the current group (Managers) using the $group variable:
| Key | Setting |
|---|---|
| Key 1 | Group
|
| Key 2 | Managers
|
| Key 3 | Table
|
| Key 4 | eparties
|
| Key 5 | Security
|
| Key 6 | Insert
|
| Value | SecDepartment_tab=Managers;SecCanDisplay=Group Default; SecCanDisplay=Group $group;SecCanEdit=Group $group;SecCanDelete=Group $group
|
Example 3
When specifying an attachment field in a Security Registry entry, the value must be:
- The field's Link Column name, not its column name.
-AND-
- A record's IRN.
For example, if referencing the Party: (Associated With) field in a Security Registry entry, we would use AssAssociationRef_tab and not AssAssociation_tab:
A suitable Security Registry entry referencing an attachment field would be:
| Key | Setting |
|---|---|
| Key 1 | Group
|
| Key 2 | Managers
|
| Key 3 | Table
|
| Key 4 | eparties
|
| Key 5 | Security
|
| Key 6 | Display
|
| Value | AssAssociationRef_tab=6
|
