Conditional security and data restrictions

In the Security Groups application, you can use data restrictions to meet conditional security requirements for users. You can set restrictions on which records a group can access within the larger set of records.

You can use data restrictions to limit the data to hide records or to make records read-only. At the attribute level, you can create data restrictions to make records hidden, read-only, or required. Because these data restrictions exist at the data-level, the restrictions apply to any user interface element or application that uses an object or attribute.

Data restrictions provide the following ways to configure access to data for groups of users:

If you create a data restriction on an object, that restriction does not apply to views of that object. For the restriction to apply to all views of the object, you create a separate restriction for the view.

When you grant a user access to an application, the user has access to all the data elements per the business logic of that application.

Group data restrictions

In the Security Groups application, you can set restrictions using a condition that defines which records a group can access. If a user is in multiple groups, and one or more of those groups has data restrictions, the data restrictions behave in certain ways: qualified data restrictions are ORed together and other data restrictions are ANDed together.

However, if one of the groups has application access, then different rules apply. If a user belongs to a group with read access and also has access to a siteorg, then data restrictions are considered. If not, then data restrictions are ignored.

Global data restrictions

You use the Global Data Restrictions action to set restrictions that use a condition that defines which records can be accessed in the system. To create expressions for these conditions, use the Conditional Expression Manager application.



Feedback