Setting Record Security

Overview

Access Rights control who can view or modify records within the app and is set per record. Users and Teams can be assigned either Read Only access, allowing them to view records without changes, or Full Access, which grants full control including editing, archiving, and deleting based on their permission levels. Access can be set by default, inherited from a Parent Record, assigned dynamically through workflows, or updated manually by an administrator to ensure the right people always have the appropriate level of access.

• Use Case: Access for a To Do linked to a Project
• Record Access Definitions
  • APP - Default Access Rights
  • PARENT - Inherited from a Parent Record
  • WORKFLOW - Workflow-Assigned Access Rights
  • RECORD - Manual Administrator Overrides
• Access Right Priority
• Record Access Management
  • View the Existing Access on a Record
  • Add a New Access Right
  • Remove an Access Right

Use Case: Access for a To Do linked to a Project

To start with we will look at a scenario to explain the access rights that you will see and where they come from. We will then define these in more detail and then look at how we view and change the access rights on a Record.

For our scenario, we have created a ToDo item. This item has then been linked to a Project record and some workflow and manual edits have happened to ensure the right people can view or view and edit this Record.

Here is how the access has been applied:

1. The ToDo Record is created by Jane and so she has been assigned the Owner Full Access Right
2. The creation of the ToDo was not from within a Parent context so the App default security is applied. This gives ReadOnly access to the Operations Team.
3. The ToDo has then been linked to a Project, this inherited the ReadOnly team access right for Project Managers who can now view the ToDo and a full access has been given to Alan who had full access to the Project as the Project Owner.
4. Workflow gives us our next access right. This goes to Jeremey and in our scenario we'll suppose this to be a workflow to set Full Access to the ToDo Lead Jeremy has been named as.
5. Finally a manual User access right has been set for Sarah at the Record level. It could be that this user has been brought on to collaborate with the ToDo Lead due to the importance of the ToDo.

Record Access Definitions

Record Access controls whether All or which Users and Teams can view or modify specific Records. Access is governed at two levels with the additional caveat that the record must always have one access right which is the owner right:

• Read Only – The User/Team can view but not modify the Record.

• Full Access – The User/Team can view, edit, archive, and delete the Record.

• Owner – There is one particular access right which is Full Access to the creator of the Record (This can only be changed via workflow but a record must always have an owner access right.)

Record Access can be set via four different sources:

APP - Default Access Rights

When a new Record is created, it inherits the default access rights defined by the App Developer at the time of publishing. These defaults determine which Teams or Users receive Read Only or Full access.

Note: If the Record is created in a child context then it will not apply the App Default Access but apply the access it inherits from the Parent Record that it has been created in.

PARENT - Inherited from a Parent Record

Inheriting Access rights happens when there is a link created from one Record to a Parent and happens under two scenarios:

• Created from a Parent Record: On creation of a child record from within a parent record, the default access on the child is ignored and the access rights from the parent will be set on the child record.
• Linked to a Parent Record: When the Record already exists and is then linked to a Parent, the Record will keep the existing Access Rights from before the link but then also additionally add the access that is on the Parent Record. 

Note: For a workflow initiated link to parent record, the App Builder has the option to ignore inheriting the access rights from the Parent Record. For more on how this affects the resulting access rights see the workflow article here.

WORKFLOW - Workflow-Assigned Access Rights

Additional access rights may be assigned dynamically via Workflows.
For example: A workflow can automatically grant Full Access to a Project Manager when they are referenced in a “Person” field on a Project Record.

RECORD - Manual Administrator Overrides

Administrators can manually update Record Access Rights at any time. This allows overriding defaults or workflow-based rights as necessary.

Access Right Priority

There are many scenarios where users will be included in multiple of the Access Rights. They may be in one Team giving ReadOnly Access, another team giving Full Access and then also have a specific Access right giving their User a level of access too. In these scenarios, there is a hierarchy that governs the actual level of Record Access.

FIRST by Type - The Owner Access Right > A User Access Right > A Team Access Right > An All Access Right

THEN by Access - Full > ReadOnly

So with a couple of examples we can see:

• A User - ReadOnly Access Right will take priority over a Team - Full Access Right
• A Team - Full Access Right would still take priority over a Team - ReadOnly Access Right.

Record Access Management

View the Existing Access on a Record

Open the record that you would like to view the Security on and select 'Security' from the Record Feature Menu.

This will open a modal listing the current Access Rights on the Record.

The Access rights will be broken down to show who has access and where the access came from. See above for more detailed Record Access Definitions.

• Access: This is the level of Access that has been granted. It can be either ReadOnly or Full with priority to Full.
• Source: The source lets you know how the Access Right was granted.
  • App means that it was a default Access Right granted on creation of the Record.
  • Record is for the Owner Right or it means that the Access Right was added manually
  • Workflow is when the Access has been set as the result of a triggered Workflow on the Record
  • Parent means that the Access right was inherited from a Parent Record either on creation or link
• Type: The options for Type are Owner, User, Team and All. There is a priority for the Access.
  • The Owner Right takes precedence User Right
  • A User Right takes precedence over a Team Right
  • A Team Right takes precedence over an All Right.
• User/Team: This is the User or Team that has been selected for the Access Right.

Add a New Access Right

The access Rights on a Record may need to be altered. This could be to give a different Team access to a Record or to change the Access for a Record from Full to ReadOnly for a User.

To add a new Access Right click on 'Add Row' this will then give you three options to fill in. First set the Access Type. Next choose if the Access Level is for a Team, a User or all Users. Finally select the User or Team that the access right is relevant to. When adding the User or Team simply start typing to narrow down the available matches to select from.

Remove an Access Right

You can remove an Access Right by clicking on the cross on the right of the Access right. The one exception is the Record Owner. The Owner Access right can never be removed, so the creator of a record will always have editable access to that record.

For both Adding and Removing Access remember to click save as to not loose any updates.