AgileApps Support Wiki Pre Release

Difference between revisions of "Custom Access Criteria"

From AgileApps Support Wiki
imported>Aeric
imported>Aeric
 
(21 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''[[File:GearIcon.png]] > Objects > {object} > Object Properties > [Edit] > Access Control > Custom Access Criteria'''
Custom Access Criteria lets you specify who can access/update/delete individual records, based on the data in the record, characteristics of the current user, and any other available information.  
Custom Access Criteria lets you specify who can access/update/delete individual records, based on the data in the record, characteristics of the current user, and any other available information.  
{{:Option:Custom Access Criteria}}
   
   
==About Custom Access Criteria==
==About Custom Access Criteria==
Custom Access Criteria can be used in place of [[Data Access Permissions]]. Custom Access Criteria are a set of rules which define the [[Users]] who can perform any of the following Actions on [[Record]]s in [[Objects]]:
Custom Access Criteria can be used in place of the standard [[Data Access Permissions]]. Custom Access Criteria defines a set of expressions, one for each action that can be taken on a record:
:*Add
:*Add
:*Update
:*Update
Line 8: Line 11:
:*List View - defines a typical [[View]]
:*List View - defines a typical [[View]]
:*Record View - displays a single [[Record]]
:*Record View - displays a single [[Record]]
Rules are built by combining User and [[Object]] fields with [[Formula Functions]] to build Boolean [[Expressions]] (which evaluate to ''True'' or ''False'').
When a rule associated with an action evaluates to ''True'', the user has access to the records and can perform the action.


:''For other uses, see [[Access Controls]].
For each action, the [[Formula Builder]] is used to create an expression, using characteristics of the logged in [[User]], field values, comparison operators, and [[Formula Functions]]. When the expression evaluates to ''true'' for a given user, the user has access to the record and can perform the action. (Specifying <tt>true</tt> for the expression value gives access to everyone.)
{{tenantfeatures|}}
 
''Learn more:'' [[Access Controls]]
 
{{Important|<br>The ''System User'' (<nowiki>ID = 3</nowiki>) executes [[Rules]]. For Rules to function properly, any access-expression that specifies a
value other than <tt><nowiki>true</nowiki></tt> should include <tt><nowiki>loggedInUser.id = '3'</nowiki></tt> in an OR condition.}}
 
===Payroll Example===
Records with a salary in excess of a certain amount can be made visible only to users in designated roles.


==How it Works==
===Inventory Example===
:In an inventory management system, all records in the Inventory Object are visible to everyone (all [[Users]]). However, the operational policy states that only users with a valid ''Cost center code'' for the Purchasing Department can Add, Update, or Delete Inventory records.  
In an inventory management system, all records in the Inventory Object are visible to everyone (all [[Users]]). However, the operational policy states that only users with a valid ''Cost center code'' for the Purchasing Department can Add, Update, or Delete Inventory records.  


:Although it is possible to design access controls based on standard [[Data Access Permissions]], it could become a recurring, complex task; because users and teams are dynamic and change frequently, role- and team-based controls must be updated as the business structure evolves.
Although it is possible to design access controls based on standard [[Data Access Permissions]], it could become a recurring, complex task; because users and teams are dynamic and change frequently, role- and team-based controls must be updated as the business structure evolves.


:A better solution is to add a '''Custom Access Criteria''', which would act as follows:
A better solution is to add custom access criteria, which would work as follows:
:*On an ''add, update or delete'' action for any inventory record, verify that the user record contains a valid ''Cost center code'' from the Purchasing department, then display the records
:*On an ''add, update or delete'' action for any inventory record, verify that the user record contains a valid ''Cost center code'' from the Purchasing department, then display the records.
:*On a ''view'' action (View a record or View a List of records), display the records
:*On a ''view'' action (View a record or View a List of records), display the records.


==Working with Custom Access Criteria==
{{permissionRef|Customize Objects|select Custom Access Criteria and build Access Control rules}}
{{permissionRef|Customize Objects|select Custom Access Criteria and build Access Control rules}}


==Add Custom Access Criteria==
===Add Custom Access Criteria===
To add or edit Custom Access Criteria:
To add or edit Custom Access Criteria:
#Click '''Designer > Objects'''
# Go to '''[[File:GearIcon.png]] > Objects > {object} > Object Properties'''
#Select an object
# Click '''[Edit]'''
#Click the '''[Edit]''' button
# In the ''Access Control'' section, choose one of the following options:
#From the Properties tab, ''Access Control'' section, choose one of the following options:
#:;Role Based Permissions:Default
#:;Role Based Permissions:Default
#::*No rules specified, matches {{enterprisebrand}} through V6.2
#::*Enforces Role- and Team-based access control ([[Data Access Permissions]])
#::*Enforces Role- and Team-based access control ([[Data Access Permissions]])
#:;Custom Access Criteria:
#:;Custom Access Criteria:
#::*If selected, ''Role Based Access Control'' is not enforced
#::*If selected, ''Role Based Access Control'' is not enforced.
#::*Create criteria for any (or all) of the available actions
#::*The "Criteria Builder" appears.
#In the Custom Access Criteria Builder:
#For each action a user can take, click in the expression box.<br>The [[Formula Builder]] appears.
#* Click the ''Edit'' link for each action
# Use the Formula Builder to create a Boolean expression (one that evaluates to true or false).
#* Add custom access criteria
#* The '''Logged In User''' can be evaluated.
#:: ''Owner'' and ''Creator'' fields are available as criteria, where ''Owner'' is the [[Record Owner]] and Creator is the [[Record Creator]].
#* ''Owner'' and ''Creator'' fields are available as criteria, where ''Owner'' is the [[Record Owner]] and Creator is the [[Record Creator]].
#:: ''Owner'' and ''Creator'' fields are not available in List View or Record View Actions.
#* ''Owner'' and ''Creator'' fields are not available in List View or Record View Actions.
#* Click the [Check Syntax] button to verify that the formula is valid and returns a Boolean value (i.e. True or False)
#* [[Formula Functions]] can be used to build the expression.
#: Learn more: [[Expressions#Formula_Expressions|Formula Expressions]]
# Click the [Check Syntax] button to verify that the formula is valid and returns a Boolean value.
#: Learn more: [[Formula Expressions]]


=== About Building Custom Access Criteria===
===Considerations===
 
Considerations for building Custom Access Criteria:
*If the ''Custom Access Criteria'' option is enabled, then the [[Data Access Permissions]] are not enforced by default
*If the ''Custom Access Criteria'' option is enabled, then the [[Data Access Permissions]] are not enforced by default
*If the ''Custom Access Criteria'' is enabled and the action fields are empty, then all users have access to all records for all available actions
*If the ''Custom Access Criteria'' is enabled and the action fields are empty, then all users have access to all records for all available actions
Line 55: Line 61:
:*Fields in the [[Users Object]], including [[Users Object#Custom Fields in User Objects|custom fields]]
:*Fields in the [[Users Object]], including [[Users Object#Custom Fields in User Objects|custom fields]]
*For Add and Update actions, the formula is evaluated using the new field values (i.e., values that are part of the add/update action, not the field values in the database prior to the action)
*For Add and Update actions, the formula is evaluated using the new field values (i.e., values that are part of the add/update action, not the field values in the database prior to the action)
:* When importing data into an object where [[Custom Access Criteria]] rules are specified, no validations are performed during the import. Any data can be imported, regardless of the Custom Access Criteria rules. The restrictions apply to other actions a user can take.<noinclude>


===About Importing Data===
[[Category:Tenant Capabilities]]
When importing data into an object where [[Custom Access Criteria]] rules are applied, no validations are performed at this time. This means that any data can be imported, regardless of the Custom Access Criteria rules.
<noinclude>
 
[[Category:Glossary]]
</noinclude>
</noinclude>

Latest revision as of 22:03, 15 January 2015

GearIcon.png > Objects > {object} > Object Properties > [Edit] > Access Control > Custom Access Criteria

Custom Access Criteria lets you specify who can access/update/delete individual records, based on the data in the record, characteristics of the current user, and any other available information.

Lock-tiny.gif

About Custom Access Criteria

Custom Access Criteria can be used in place of the standard Data Access Permissions. Custom Access Criteria defines a set of expressions, one for each action that can be taken on a record:

  • Add
  • Update
  • Delete
  • List View - defines a typical View
  • Record View - displays a single Record

For each action, the Formula Builder is used to create an expression, using characteristics of the logged in User, field values, comparison operators, and Formula Functions. When the expression evaluates to true for a given user, the user has access to the record and can perform the action. (Specifying true for the expression value gives access to everyone.)

Learn more: Access Controls

Warn.png

Important:
The System User (ID = 3) executes Rules. For Rules to function properly, any access-expression that specifies a value other than true should include loggedInUser.id = '3' in an OR condition.

Payroll Example

Records with a salary in excess of a certain amount can be made visible only to users in designated roles.

Inventory Example

In an inventory management system, all records in the Inventory Object are visible to everyone (all Users). However, the operational policy states that only users with a valid Cost center code for the Purchasing Department can Add, Update, or Delete Inventory records.

Although it is possible to design access controls based on standard Data Access Permissions, it could become a recurring, complex task; because users and teams are dynamic and change frequently, role- and team-based controls must be updated as the business structure evolves.

A better solution is to add custom access criteria, which would work as follows:

  • On an add, update or delete action for any inventory record, verify that the user record contains a valid Cost center code from the Purchasing department, then display the records.
  • On a view action (View a record or View a List of records), display the records.

Working with Custom Access Criteria

Lock-tiny.gif

Users that have the Customize Objects permission can select Custom Access Criteria and build Access Control rules. 

Add Custom Access Criteria

To add or edit Custom Access Criteria:

  1. Go to GearIcon.png > Objects > {object} > Object Properties
  2. Click [Edit]
  3. In the Access Control section, choose one of the following options:
    Role Based Permissions
    Default
    Custom Access Criteria
    • If selected, Role Based Access Control is not enforced.
    • The "Criteria Builder" appears.
  4. For each action a user can take, click in the expression box.
    The Formula Builder appears.
  5. Use the Formula Builder to create a Boolean expression (one that evaluates to true or false).
    • The Logged In User can be evaluated.
    • Owner and Creator fields are available as criteria, where Owner is the Record Owner and Creator is the Record Creator.
    • Owner and Creator fields are not available in List View or Record View Actions.
    • Formula Functions can be used to build the expression.
  6. Click the [Check Syntax] button to verify that the formula is valid and returns a Boolean value.
    Learn more: Formula Expressions

Considerations

  • If the Custom Access Criteria option is enabled, then the Data Access Permissions are not enforced by default
  • If the Custom Access Criteria is enabled and the action fields are empty, then all users have access to all records for all available actions
  • Fields available to build criteria are:
  • For Add and Update actions, the formula is evaluated using the new field values (i.e., values that are part of the add/update action, not the field values in the database prior to the action)
  • When importing data into an object where Custom Access Criteria rules are specified, no validations are performed during the import. Any data can be imported, regardless of the Custom Access Criteria rules. The restrictions apply to other actions a user can take.