7 Replies Latest reply on Oct 4, 2019 3:56 AM by Zi Sang

    Innovation Suite-the most simple example of Security Lable doesn't work, i really do not understand how it works

    Zi Sang
      Share This:

      Hi Everyone,

       

      I have read many articles about security label, please see discussion:

      Re: Innovation Suite - How to let user only see the by themself created data records in Record Grid?

      Innovation Suite-How to set Record Grid to be visible only for people from the same team?

       

      I did the following most simple demo, and it does not work:

       

      1. In Data Record called "Request", created a security label.

      1.png

      2. In Every Field of this Record, set Permission of Group for this security label.

      2.png

       

      3.Create a Process, just used 2 Activities, first "Remove all Security Label", second one "Set Security Label", in "User Names" i just write a login ID "Test1" of test user.

      3.png

      4. For test, i have 2 users "test user 1" and "test user 2", both only have the role "Network Secure Request User", which can change every field of the Request.

      Now i login as "test user 1" with LoginID "Test1", then created a new Record instance of "Request".

       

      5. Then i login as "test user 2" with LoginID "Test2" and because up till now, i haven't launch the process yes and no security label is added, I as "test user 2" can of course see the data created by "test user 1"

       

      6. So I then login as admin and launch the Process "set security label" manually, the process is "COMPLETED". After that, the record should only be visible to "test user 1"

      4.png

       

      7. But, I then login as "test user 2" again, i still see the record! The Security Label does not work!!!

       

      Does anyone knows where is the problem?

       

      Thank you!

       

      Best regards

      Zi

        • 1. Re: Innovation Suite-the most simple example of Security Lable doesn't work, i really do not understand how it works
          Ranjit Jadhav

          Hello Zi,

           

          I see that few corrections are needed in above steps

              1. About step#2 you can give permissions to all field except "Display ID" field. Row Level security works on "Display ID" permissions. So for "Display ID" field add permission only for Security Label role and remove other permissions of "Network Secure Request User". As both user are member of this role, this seems to be the reason both user see the data. As mentioned you need not remove all fields permission only update permission of "Display ID" field.

              2. Step#4 states that you have user with Login ID Test1 and Test2 but in the screen shot I see input User name "Test4" may be typo please check.

              3. User name need to be specified in single quote in Set security label e.g, 'Test1'  and not as "Test1". Instead hard coding, you can try using $USER$ keyword as input to set security label action, but in that case same user need to start the process and not the Admin user so you can add "After Create" that starts the Process to set the security label after record is created. First try with you existing process with hard coded name (in single quote) once that works you can try using keyword. when you use keyword you need not worry about syntax (single quote)

           

          Let me know results after above corrections.

           

          regards

          Ranjit

          • 2. Re: Innovation Suite-the most simple example of Security Lable doesn't work, i really do not understand how it works
            Ranjit Jadhav

            Small correction about my point#3, User name with double quote is accepted and Set Security Label action takes care of the making it into correct syntax at backend. So make the changes as per point 1 & 2 (and ignore #3), that should work.

            • 3. Re: Innovation Suite-the most simple example of Security Lable doesn't work, i really do not understand how it works
              Zi Sang

              Dear Ranjit,

               

              thank you very much for your suggestion! I checked the following 2 points.

               

              Point1:

              - I have given permission is also given to Display ID.

              - I removed the first Activity "Remove all security label", only left "Set Security Label"

              (But I do not understand this, as "Network Secure Request User" is a Role, or is Role also a kind of security label? If "Network Secure Request User" can be removed by "Remove Security Label", why all the users can see all the records?)

              01.png

              Point 2:

              it is badly named, but the Login ID of "test user 2" is really "Test4"

              02.png

              I sent out today a new test, i created a new record with "test user 2". Then Run the process manually via admin.

              But, still, for all users, "SangZi", "test user1", "test user2", all three users can see all the records, I am really very very confused.

               

              The version of Innovation Suite we have is 19.08.

               

              Best regards,

              Zi

              • 4. Re: Innovation Suite-the most simple example of Security Lable doesn't work, i really do not understand how it works
                Ranjit Jadhav

                Zi,

                 

                we control permissions in two way 1. Static permissions 2. Dynamic Permission or row level security. The static permissions are one that are given to Roles or Groups. All members from these Role or Group get the access to record. Dynamic permissions are one controlled by "Set Security Label" action. The process action  "Remove Security Label" does not remove your static permissions, it can remove only dynamic permissions, so in your example permission given to "Network Security Request User" is static, you need to remove it only from Display ID field and keep only security label group permission which is "Firewall Single Team Visibility" as below

                 

                 

                Only "Firewall Single Team Visibility" permissions given and no other.

                 

                Just to clarify - update the Record Definition for these permission, "Remove Security Label" action in Process is also not needed but it does not play any role because at the point process started security label field is already empty so that call wont have any impact as such.

                 

                regards

                Ranjit

                1 of 1 people found this helpful
                • 5. Re: Innovation Suite-the most simple example of Security Lable doesn't work, i really do not understand how it works
                  Zi Sang

                  Dear Ranjit,

                   

                  great great great!!!!! Now i understand it!!! In the field Display ID, i only left "Security Label", then other users can not see it anymore!

                   

                  Only one last question, I found out, the Record Creator is always able to see the record, even through Security Label is after Record Creation only added to another user, is it designed as so?

                  So, as i tested, if creator is "test user 2", and I execute the Process with Admin to Set Security Label to "SangZi", still, "test user 2" als Creator can see the Record, and "test user 1" cannot see it.

                   

                  Thank you and i look forward to your reply!

                   

                  Best regards,

                  Zi

                  • 6. Re: Innovation Suite-the most simple example of Security Lable doesn't work, i really do not understand how it works
                    Ranjit Jadhav

                    I think you still have additional permissions of "Submitter" and "Assignee" on Display ID that gives access to Submitter or Assignee user, can you please check that, I highlighted in below image

                     

                    If you want permissions to be controlled only security label then remove these permissions as well.

                    • 7. Re: Innovation Suite-the most simple example of Security Lable doesn't work, i really do not understand how it works
                      Zi Sang

                      Dear Ranjit,

                       

                      actually not, I only left Security Label, somehow the Submitter is always able to see it.

                      But it is coincidentally what we want, so we are happy we do not need to do extra thing and the submitter can always see it.

                      2019-10-04 10_52_16.png

                      Ranjit, I really want to thank you many times for all of your great help, through this I understand how Security Label works and have learned much from you.

                       

                      Best regards,

                      Zi