In the Security Groups application, you can use data restrictions
to meet conditional security requirements for users. You can set restrictions
on which records a group can access within the larger set of records.
You can use data restrictions to limit the data to hide records
or to make records read-only. At the attribute level, you can create
data restrictions to make records hidden, read-only, or required.
Because these data restrictions exist at the data-level, the restrictions
apply to any user interface element or application that uses an object
or attribute.
Data restrictions provide the following ways to configure access
to data for groups of users:
- You can make an entire object or an entire object within the context
of an application hidden or read-only, either conditionally or unconditionally
for the entire system or for a security group.
- You can associate an object or object and application
with a condition to qualify the data to be returned. Only data that
meets the condition is fetched from the database. This differs from
data that is fetched from the database but is hidden in a certain
condition. Qualified data restrictions are applied only to top-level
objects in lookups and in dialogs that are configured to allow them.
- You can set data restrictions for attributes within objects, either
with or without an application specified. In these restrictions, you
can make the attribute hidden, required, or read-only, either conditionally
or unconditionally, for the entire system or for a security group.
At run time, within the applications, controls bound to restricted
objects or attributes can change their display as a user scrolls through
records.
- You can set collection restrictions to control the collections
of assets, locations, and configuration items that a group can access.
- Data restrictions always supersede application configurations
in the Application Designer application. For example, if an attribute
has a data restriction that makes it read-only, the Application Designer
application can never make that attribute editable. The hierarchy
is database configuration, data restriction, and then Application
Designer application.
- Configurations that you create with data restrictions apply wherever
an attribute is used, while Application Designer configurations do
not. For example, you want to restrict access to a field that appears
in the header section of multiple tabs. If you put a data restriction
on the attribute, all the fields inherit the restriction. If you configure
the same restriction in the Application Designer application, you
must apply the same configuration to each field on each tab.
- Application Designer configurations are always for one application.
Configurations that use data restrictions can apply to all applications
that use the object or attribute or to one specific application.
If you create a data restriction on an object, that restriction
does not apply to views of that object. For the restriction to apply
to all views of the object, you create a separate restriction for
the view.
When you grant a user access to an application, the user has access
to all the data elements per the business logic of that application.
Group data restrictions
In the Security
Groups application, you can set restrictions using a condition that
defines which records a group can access. If a user is in multiple
groups, and one or more of those groups has data restrictions, the
data restrictions behave in certain ways: qualified data restrictions
are ORed together and other data restrictions are ANDed together.
However, if one of the groups has application access, then different
rules apply. If a user belongs to a group with read access and also
has access to a siteorg, then data restrictions are considered. If
not, then data restrictions are ignored.
Global data restrictions
You use the Global Data Restrictions action to set restrictions that
use a condition that defines which records can be accessed in the
system. To create expressions for these conditions, use the Conditional
Expression Manager application.