How to refine Record Level Security by specifying conditional criteria

In the following example we look at how to limit access to a department's records to members of that department. The theory is identical when controlling who can access a record based on a value in the Record Status: (Access) field, or any other field for that matter.

A Vital Records Office decides that while everyone should be able to view all staff records in the Parties module, only members of each department (e.g. Registrations, Accounts, etc.) should be allowed to edit and delete their department's records.

For this example we would need to ensure that:

  • Existing records for each department are updated with the appropriate values:
    • Permissions are set: Display for group Everyone; and Edit and Delete for members of the group to which the record belongs.

      -AND-

    • The Value in the Department field is set to the name of the relevant department, e.g.Registrations, Accounts.

    For instance, any Parties records belonging to group Registrations should have the following permissions and value in the Department field:

    Note: Using the Set Record Security batch update tool it is a simple matter to assign these permissions to existing records.

    In order for members of group Registrations to edit / delete this record, two Security conditions must be met:

    • The Registrations group must be added to the Security box and must have Edit and Delete permissions.

      Note: This is necessary because we have removed the Edit and Display permissions from group Everyone (we don't want everyone to be able to edit or delete this record): if the only group added to the Security box is group Everyone, members of group Registrations will only inherit the Display permission.

    • The value in the Department field must be Registrations.

      Note: Although the Set Record Security batch update tool cannot be used to batch update the Department field, the Global Replace tool can.

    • As new records are added by members of a group, the appropriate permissions and values are automatically set.

      Note: See (Record Level) Security Registry entry for details of how to refine Record Level Security. The Security Registry entries required for this example can be found here.