Conditional accessing fields

Hello Community,

 

We have the following requirement:

there are VIP contacts, which may only be edited/deleted by a certain organizational role. The contacts are considered VIP contacts if they have a certain record in a related detail table. To achieve this, I can’t use object permissions (because I can't set conditions there), but I think it will work with a business process, triggered by the creation of the detail record and removing and granting permissions on the contact with the “change access rights” process element.

But we also have the requirement, that only the mentioned role can see sensitive data like the mobile phone number. How can I achieve this?

 

Thanks,

Robert

Like 0

Like

7 comments

Hi again,

I slved the first part (revoking edit/delete permissions for VIP contacts) but still struggling with the second part (revoking read access to sensitive fields).

 

Any help on this would be highly appreciated!

Thanks,

Robert

Hello Robert,

 

If I understand right, you can refer to this guide: https://academy.creatio.com/documents/administration/7-16/managing-colu…

 

Regards,

Akira Nguyen

Phuong Akira,

Hello Akira,

thanks for the reply, but this is not solving the issue. The reason is that I have to conditionally restrict access to the field.

Only when the contact is a VIP contact (that is, if it has a certain detail record), the sensitive fields should get accessible only by a certain role.

If I use column permissions, the field (eg the mobile number) will be restricted on every contact, not just VIP contacts.

 

Thanks,

Robert

Hello Robert,

 

To solve your issue, I think you can combine some coding + business rule

1. You can code method: if usr with specific role open page, set 1 usrfield = true; else = false

2. Business rule: customer = VIP AND usrfield = true; hide mobile phone field

Sorry, I am not a coder so I cannot guide you on how to code it.



Regards,

Akira Nguyen

If the protections on data are to comply with legal regulations, then client-side hiding or editing restrictions are not enough. I don't know what Robert's requirements for this are, but suggesting client-side logic to hide sensitive data without knowing why its access needs to be restricted is dangerous.

Harvey Adcock,

Hello Harvey,

you are absolutely right and I do not want a solution to hide the data via the UI.

The requirement is not based on legal regulations, but nevertheless, I want a robust solution where the user can't access the data no matter what he/she tries (the user could add the sensitive field in the list for example).

Unfortunately, I haven't found such a solution that is doable with the means of creatio permissions.

 

Do you have an idea?

 

Thanks,

Robert

Robert Pordes,

 

It would be a nice feature, given that Creatio has the ability to do row level security on a per-user basis, but it isn't possible currently.

 

The closest thing I could think of would be to have an extension table holding the sensitive data, which has its row level security applied by the Business Process you mentioned, but from what I can tell Creatio doesn't support extension tables either, so it would be a very code-intensive process of building that functionality in Creatio first...

 

Sorry I can't be of more help, hopefully others have some better ideas.

Show all comments