Assigning security to a user or group

Row Level Security Assignment window overview

Once you have identified the tables and fields that will have security applied to them, you must specify the field values associated with a user’s login. You do this in the Row Level Security Assignment window. You access it in System Administration.

Go to Edit > Row Level Security to access the window.

The Row Level Security Assignment window opens.

rlsassignmentwindow

It has three sections:

  • Header

  • User/Groups grid

  • Table and Fields grid

The window header

The top of the window contains three command buttons and two checkboxes.

The commands buttons are:

  • Save
    Retains your entries.

  • Close
    Exits the window

  • Setup
    Opens the Row Level Security Setup window. You use that window to identify the tables, and the fields in those tables, that will have record security applied.

    Note: For more information, see Defining the user security for a table.

The Show Users and Show Groups checkboxes filter the content in the ID section. By default, both checkboxes are selected when you open the window.

User/Groups grid

The User/Group grid lists the users and groups associated with the database. It shows information in three columns:

  • Type
    Shows whether the row represents a user or a user group.

  • ID
    Shows the entity’s ID.

  • Name
    Shows the entity’s name

Table and Fields grid

You use the Table and Fields grid to assign the user’s or group’s security setting. Information is displayed in these columns:

  • Table
    Lists the tables on which you can set security restrictions.

  • Field
    Lists the fields in the selected table to which security settings can be applied. For each field, the window shows these columns:

    • Value
      Shows the Abbr field value for each option, as recorded in the label associated with the field.

    • Description
      Lists the Description field value for each option, as recorded in the label associated with the field.

      Note: When the Description entry is (Undefined value) the field option no longer exists. It cannot be used for security. You see this value for options that were used on a record in the past, but have been deleted.

    • Enabled
      This checkbox identifies whether the currently selected user has been assigned security for that field.

    • Effective
      This checkbox identifies the field values that will be enforced.

      By default, UNKNOWN is selected for each available field. When UNKNOWN is the only selected value, it functions as a wildcard. The user can retrieve records having any of the possible values for the field. Therefore, all values will have this checkbox selected.

      However, if at least one other value is selected, UNKNOWN no longer functions as a wildcard. The checkbox is cleared for all values that are not selected. The user can retrieve only records having values that have this checkbox selected.

Setting up security assignments for a user or a group

For each record type, the user will have access only to records having the specified value. To illustrate, we set security values for user IAN22 on the company and orders tables.

  • For company records, we allow access to companies having RevType1 values of Unknown, Blue, and Columbus.

  • For orders, we allow the user to access records having RevType1 values of Unknown and Columbus.

rlsuserassigned

The system enforces the restrictions assigned to user IAN22 as he works in different applications. Because the RevType1 values assigned to him for orders and companies are UNKNOWN, Blue, and Columbus:

  • He can open only profiles for companies with those RevType1 values.

  • When he looks up records in the Scroll Company window, he will see only companies with those RevType1 values.

  • When he creates orders, he can only use companies with those RevType1 values as the Bill To, shipper, or consignee. Any company he specifies as a stop location must match his restrictions.

  • When he retrieves orders in the Order Scroll window, he will see only orders with a RevType1 value of UNKNOWN or Columbus.

This illustration shows that no restrictions are set for retrieving company records in the Scroll Companies window. You can see that when user IAN22 retrieves company records, only those having the specified RevType1 values are shown.

ian22cmpscroll

To associate a field value with a user’s login or a user group:

  1. In System Administration, go to Edit > Row Level Security.
    The Row Level Security Assignment window opens.

  2. In the Users/Groups grid, select the user or group.

    Note: RLS is applied to each user/group you select. This includes users who are System Administrators. If you assign security to them, or to a group that includes them, their access to records will be restricted.

  3. In the Tables and Fields grid, find the table you want to use.

  4. Find the field for which you want to set security.

  5. Select the Enabled checkbox for the field value you want to assign to the user.

    Notes:

    1. By default, the UNKNOWN value for each field selected. If no other values for the field are selected, UNKNOWN functions as a wildcard and the user can retrieve all records.

      • If you do not want the user to see all records, select at least one other value.

      • If you do not want the user to retrieve records having a value of UNKNOWN in the field, clear the checkbox.

    2. When selecting RevType1 field values for a user, you should select only those that are associated with the user in his/her profile. For more information, see Identifying a user’s default RevType1 value.

    3. If no value is selected, the user will see no records.

  6. Repeat Steps 3 - 5 to identify all field security for the currently selected user or group.

  7. Click Save.