You can use row level security by adding security label on record definition and setting the permission using rule/process as below...
you can create application role that represents the team and associate that role with Functional role. This functional role you can assign to person.
Now, when record is created using Rule or Process you can use "set security label" action to set the dynamic permission and pass the application role that represents team. When user pen the Record Grid, server will return records which are accessible to given "roles" from which user belong and no additional UI filter will be needed. your existing filter of Created By can be added on top of that to filter the result at UI level.
1 of 1 people found this helpful
We had this discussion some months ago and like I said at the time, I would go using Security Labels
thank you, that is right, you told me to try security label, but I did not try security label at that time..
The following things I can still not understand regarding Security Label:
(1) For example, we have Team AAA, Team BBB, Team CCC, ...Team ZZZ. Should for each team should we set a Security Label? As the Team Name is set in Person, and may be updated. So once Team name changes, we need to change it in Security Label as well?
(2) In Process, "On Create" and then "Set Security Label" How should I check at first, the Creator is from Team XXX? And then give the Security Label also for Team XXX?
Thank you so much!
Regarding security label, i still have 2 questions, would you please take a look at my comment above?
How are representing "Team" ? is it Organization? is it Application Role or Group that represents the team?
Set security label accepts group names, role names and Organization IDs. Based on what your "Team" is mapped to you can create process as follows
1. Use "Get Records By Query" On "com.bmc.arsys.rx.foundation:Person" record with condition 'Login ID' = Current User. In this 'Login ID' is field from Person and "Current User" appears in "General" drop down in Expression editor that resolves to $USER$. Select first matching record for "Get Records By Query".
2. this will give Person record and now you can get the name of Team. You can assign this Team name in any local variable.
3. Now if your "Team" name is same as Application Role name then you can use the team name directly in Set Security Label action in "Role Names" field.
4. If your "Team" name is same as Group Name then you can use the team name directly in Set Security Label action in "Group Names" field.
5. If it is Organization name then you have to add another "Get Records By Query" to query record "com.bmc.arsys.rx.foundation:Organization" and get the Organization that matches same name as Team name and use it's ID in Set Security Label action in "Organization Ids" field.
Basically relate your Team either to Role, Group or Organization, then get the related object using "Get Records By Query" and use its value in Set Security Label.
There is another short approach which you can use. In Set Security Label action you can use "General->Current Groups" for "Group Names" field, this will actually use all groups from current users permission. But this does not allow to control one specific group level access, it will give access to all groups to which user belongs.
Hope this helps.
My use-case is, all the people from a same "Support Group" of Organization can see the Records, which are created by a person from this Support Group.
I did the following according to your suggestion:
1. In Record "Firewall Request", i created a Security Label called "Firewall Single Team Visibility"
2. In each Field of the Record "Firewall Request", I added permission to the Security Label "Firewall Single Team Visibility"
3. I created a Process "Set Creators Support Group as Security Label"
The following 4 activities are used:
3.1 "Get Record-Firewall Request"
Input Variable is the Record ID of Record "Firewall Request", so i use this to get the Record "Firewall Request"
3.2 "Get Records By Query-Person", to get the Person Record, who has created the "Firewall Request" Record.
Query Expression is: "Login ID" of "Person" = "Created By" of "Firewall Request"
3.3 "Get Records By Query-Support Groups" - > To Find out, all the Support Groups, that this Person belong to
Have i done something wrong in the query expression?
"Group ID" of "Support Group" = "Get Record By Query-Person" > Output > Associations > the FOURTH Secondary Organization > Group ID
3.4 Sub-Process with ""Set Security Label" -> To set all the Support Groups of this Person to Security Label
Loop Type is Sequential, Loop Date Input is the Output of "Get Records By Query-Support Groups", and Input Data Item is a Local Variable with Record Type (Support Group) named "support group instance"
In "Set Security Label-Request":
The Field "Organization IDs" is set as "ID" of the local variable "support group instance"
Trigger of the Process, is "After Create" of the Record "Firewall Request"
I created a Firewall Request, and as follows is the process detail:
In "Get Records By Query-Person", i get myself successfully.
But in "Get Records By Query-Support Groups", the output is empty.
as we don't know, how to find the "Support Group" from the Output of a "Person", we did the following workaround:
By creating the Record, user must also choose "Support Group" from a Name List.
Then, in Process, we used "Set Security Label", in the field of "Organization", we filled out the ID of Support Group.
and the end, in my process, the security label does NOT work, all test-user from different support groups can still see all the data records.
Maybe we are wrong at one thing:
- Maybe we should not:
"Set Security Label" -> Maybe not set "Organization IDs" as the ID of "Support Group"
- Maybe we should:
Loop through every Person of a certain "Support Group", and set the "User Names" as the "LoginID" of each Person
-> In Detail:
By creating a Record "Request", user must choose Support Group, so that we get the ID of "Support Group", then by using Multiple Instance Loop, we give each Person in this Support Group a Security Label. In the future, if anyone from this support group want to see the data, as everyone has a security label, they can see the data.
What is the problem now:
1. Even the most simple Set Security Label does not work at all, I don't know that is wrong. I made a test, just give a security label to one test user, but still, all test users can see this record. Please also see:
2. I have problem to get the following in process for multiple instance loop "Get Record - Support Group" > Output > Associations > ??? HERE ARE MANY "Person", which one should i choose, i tested all 4 "Person" there, none of them can work. Please also see:
Thank you very much!
1 of 1 people found this helpful
I replied to your queries about "Simple Security Label use case" and "which Person association to select" in thread Innovation Suite- With ID of "Support Group", how to get each "Person" in this Support Group and https://communities.bmc.com/thread/200168 respectively.
Coming back to the process flow that you mentioned in this post, please try making following changes
1. As mentioned in other thread, ensure that you set "Display Id" field permissions to "Security Label" group and remove other permissions if any.
2. In your process, you don't need additional query on support group performed by --> "Get Records By Query-Support Groups". The Person record already have list of associated Support groups, we can use that directly in multi instance loop. So remove action "Get Records By Query-Support Groups".
3. Modify process as
3.1 create local variable for Person Record and map output of "Get Records By Query - Person" to it, so that we know which association to use.
3.2 Create local variable for Support Group Record. This will be "Input Data Item" for multi instance loop.
3.3 As there is only one action inside Sub-Process, you actually don't need Sub-Process. You can add Multi-Instance loop directly on Set Security Label action. It should work even with Sub-Process, just adds little overhead. Usually we go for sub-process when more than one action need to be grouped.
3.4 Now use Person Record variable->Associations->Support Members as "Loop Data Input". (if you want to use different association check association definitions of Person and use respective Record Role Name). As mentioned in other post, you need local variable so that Expression editor expands the Associations by Role Name.
3.5 Set the Support Group record local variable as "Input Data Item"
3.6 Use the ID of Support Group record local variable into Organization ID of Set Security Label action input map with Append Existing Value as True