I see that few corrections are needed in above steps
1. About step#2 you can give permissions to all field except "Display ID" field. Row Level security works on "Display ID" permissions. So for "Display ID" field add permission only for Security Label role and remove other permissions of "Network Secure Request User". As both user are member of this role, this seems to be the reason both user see the data. As mentioned you need not remove all fields permission only update permission of "Display ID" field.
2. Step#4 states that you have user with Login ID Test1 and Test2 but in the screen shot I see input User name "Test4" may be typo please check.
3. User name need to be specified in single quote in Set security label e.g, 'Test1' and not as "Test1". Instead hard coding, you can try using $USER$ keyword as input to set security label action, but in that case same user need to start the process and not the Admin user so you can add "After Create" that starts the Process to set the security label after record is created. First try with you existing process with hard coded name (in single quote) once that works you can try using keyword. when you use keyword you need not worry about syntax (single quote)
Let me know results after above corrections.
Small correction about my point#3, User name with double quote is accepted and Set Security Label action takes care of the making it into correct syntax at backend. So make the changes as per point 1 & 2 (and ignore #3), that should work.
thank you very much for your suggestion! I checked the following 2 points.
- I have given permission is also given to Display ID.
- I removed the first Activity "Remove all security label", only left "Set Security Label"
(But I do not understand this, as "Network Secure Request User" is a Role, or is Role also a kind of security label? If "Network Secure Request User" can be removed by "Remove Security Label", why all the users can see all the records?)
it is badly named, but the Login ID of "test user 2" is really "Test4"
I sent out today a new test, i created a new record with "test user 2". Then Run the process manually via admin.
But, still, for all users, "SangZi", "test user1", "test user2", all three users can see all the records, I am really very very confused.
The version of Innovation Suite we have is 19.08.
1 of 1 people found this helpful
we control permissions in two way 1. Static permissions 2. Dynamic Permission or row level security. The static permissions are one that are given to Roles or Groups. All members from these Role or Group get the access to record. Dynamic permissions are one controlled by "Set Security Label" action. The process action "Remove Security Label" does not remove your static permissions, it can remove only dynamic permissions, so in your example permission given to "Network Security Request User" is static, you need to remove it only from Display ID field and keep only security label group permission which is "Firewall Single Team Visibility" as below
Only "Firewall Single Team Visibility" permissions given and no other.
Just to clarify - update the Record Definition for these permission, "Remove Security Label" action in Process is also not needed but it does not play any role because at the point process started security label field is already empty so that call wont have any impact as such.
great great great!!!!! Now i understand it!!! In the field Display ID, i only left "Security Label", then other users can not see it anymore!
Only one last question, I found out, the Record Creator is always able to see the record, even through Security Label is after Record Creation only added to another user, is it designed as so?
So, as i tested, if creator is "test user 2", and I execute the Process with Admin to Set Security Label to "SangZi", still, "test user 2" als Creator can see the Record, and "test user 1" cannot see it.
Thank you and i look forward to your reply!
actually not, I only left Security Label, somehow the Submitter is always able to see it.
But it is coincidentally what we want, so we are happy we do not need to do extra thing and the submitter can always see it.
Ranjit, I really want to thank you many times for all of your great help, through this I understand how Security Label works and have learned much from you.
Can you send an example how to use "Set Security Level" to add a new user, or I want to include more than one user.