Hello Creatio Community,

I am currently working with two sections in Creatio: "Contact" and "Line Item." Both sections contain a common field, "Territory ID." My goal is to ensure that whenever a User opens the "Line Item" section, they can only access those records where the "Territory ID" matches the "Territory ID" of their contact.

The challenge I'm facing is that the "Line Item" section contains more than 3 million records, and using a business process to apply permission on these records is taking a considerable amount of time.

Could anyone suggest a more efficient way to achieve this filtering? Any advice, examples, or insights would be greatly appreciated.

Like 1

Like

3 comments

Hello!

 

Please note that such logic can be implemented only by creating a business process. 

 

Best regards,

Mariia

Hi Team,

 

With our current process taking days to run, the system is overloaded. We need a faster solution. Can you propose an alternative approach?

Hello!

Could you please clarify how you imagine this being implemented? Do we need to restrict access rights to the entire record or just to specific fields, since the values of the fields can be hidden at the client logic level?

Show all comments

Is it possible to create an entity based on a view (so with the "Represents Structure of Database View" checkbox checked, and with the view created using a SQL script) that inherits its record permissions from a "real" entity? I tried to do so by simply checking the record permissions checkbox and specifying the parent object in the "Object to inherit access permissions from" field of the entity, but this doesn't seem to work.

 

My setup is that we have the OOTB Leads entity, and then I've created a view over the top of it taking all columns but with a filter condition, to be used for reporting over Leads while filtering out certain Leads that should never be included in reporting so we have a more consistent reporting basis and don't have to make sure to include those filters in every widget. I added 2 columns to the view based on the Id and LeadName columns called UsrBaseLeadId and UsrBaseLeadName, which then have a lookup column UsrBaseLead added over them in the view-based entity. This lookup is then used as the "Object to inherit access permissions from" for the view-based entity.

 

There aren't any errors thrown in the logs when trying to do this, but non-super-users just can't see any of the records. When I tried to check a record in the view's permissions, I could see that the SysRights table for the view entity doesn't exist, so I tried creating that rights "table" as a view in the database that took its data from the Rights Table of the real entity, but while that seemed to work inasmuch as I could check a record's access rights and see that the correct rights were there and was even able to modify those rights, it didn't make it visible to a non-super-user.

Like 1

Like

3 comments
Best reply

It would be great to have the view be able to inherit permissions from some object that the view has as a lookup column. However, I don't believe that is possible. What I typically do is this:

  1. Create a view and include as a column some other object that has permissions (for example, if the view includes an Opportunity lookup column and the account has permissions)
  2. Anywhere the view is used, include a filter condition that some column on that related object is not null (that would never be null). Plus it cannot be the Id or the column used as the display value. Example, if my view has a lookup for Opportunity, I could use Opportunity.Stage is filled in.
  3. Using this approach, the user will only see the rows corresponding to the related record that they have access to, since if they cannot view the related opp the Stage will return a null value. 

It's not ideal and definitely not secure, but it does limit the view rows to what the user can see on the related object.

Ryan

Anybody have any experience of working with such a setup?

It would be great to have the view be able to inherit permissions from some object that the view has as a lookup column. However, I don't believe that is possible. What I typically do is this:

  1. Create a view and include as a column some other object that has permissions (for example, if the view includes an Opportunity lookup column and the account has permissions)
  2. Anywhere the view is used, include a filter condition that some column on that related object is not null (that would never be null). Plus it cannot be the Id or the column used as the display value. Example, if my view has a lookup for Opportunity, I could use Opportunity.Stage is filled in.
  3. Using this approach, the user will only see the rows corresponding to the related record that they have access to, since if they cannot view the related opp the Stage will return a null value. 

It's not ideal and definitely not secure, but it does limit the view rows to what the user can see on the related object.

Ryan

Yeah that's a clever workaround, many thanks Ryan! Agreed about the security aspect, but for the the cases where it's just about having those record permissions used to define non-security visibility as I currently have for the base entity it will work for now.

 

It would definitely be good for the view entities to be able to inherit permissions from lookup columns though, and feels like it would be a relatively quick win for Creatio to add, as most of the functionality around that would already exist. It could even be done in a no-code way by enabling the creation of these view-based entities directly in the config, effectively adding a logical layer to the platform which would be great for filtered views into the data and adding virtual calculated fields. So much utility to be had with such a logical layer.

Show all comments

Hello community,

I have a use case where i need to grant access rights to new owner in Lead when the owner gets changed.I want to remove the access rights of the old owner.

By default, Creatio grants maximum access permissions to record author and the record owner.

I have tried to give access to the new owner and revoke the access permission to old owner using Change access right Business process element . Since the old owner is the record author ,that user can able to see ,edit,delete the record .I want to remove the access rights of the old owner. 

Can anyone help me on this ?

Like 1

Like

1 comments

Hi!

 

If you remove all roles/users from default permissions (managed by records access rule settings), users who created the record and records owner will still be able to see/edit/delete the record. 

 

To change this behavior, there are several options: 

- open the record in the System Designer and set the rule for the author to grant himself the rights for "not reading" the record

 

- the database command to remote the specific rights in the sys[object]right table. You can check some details on the example of granting the rights and change the logic of the provided script: https://community.creatio.com/questions/there-way-provide-record-creato…

Here are some more details on how these system tables impact the record permissions: https://community.creatio.com/articles/what-database-tables-should-i-ta…

- design a business process with the "Change access" element to remove the rights from the record author

 

Hope this info helps you with the described case.

Show all comments

Dear Community,

 

is there any way to block the deletion of records of an object for all users and user groups (including system administrators and the supervisor) depending on a lookup value, such as a status.

Adjusting the object permissions still let's sysadmins delete a record.

 

Like 0

Like

1 comments

Hello Markus,

You can write your own EventListeren on onDeletnig event and if your condition is satisfied, you can call base.OnDeleting(sender, e).

If not, it will block the delete action no matter who is the user.

public override void OnDeleting(object sender, EntityBeforeEventArgs e) {
				var entityOrderProduct = (Entity)sender;
            	var OrderProductid = entityOrderProduct.PrimaryColumnValue;
				string name = entityOrderProduct.GetTypedColumnValue<string>("Name");
				if (name != 'someting'){
					base.OnDeleting(sender, e);
				}
			}

 

Show all comments

Hi Community,

 

We have enabled record permission for an object and based on some conditions we are adding role wise permissions to the record. We want to filter a contact lookup field based on the roles to whom the record has access, i.e. only those contact will show whose associated user falls under the roles to which the particular record has access.

 

Any suggestions or lead will help a lot.

 

Thanks,

Sourav Kumar Samal

Like 0

Like

2 comments

Hello,

 

To read more information about the permission access and role please refer to these Academy articles: Object operation permissionsFunctional rolesRecord permissions

Kalymbet Anastasia,

 

Thanks for the suggestions.

 

But we are looking to filter a contact lookup based on the roles to which the particular record has access. If there are any suggestion specific to this business task, that will be great.

 

Regards,

Sourav

Show all comments

Hi Team,

 

We have this case where in to a custom Object - Project, Record permission is set to 2 specific user roles. 

  • One user role, lets say A has the right to read 
  • Second User role, lets say B has the right to edit with "Granted with Right to Delegate"

The Use case is: The Object Project has a detail called Sub-Project which is again mapped with Project object but the relationship is child-parent. 

 

Whenever a user of role creates a sub-project, fills in the required details and Click on Save, they encounter with below screenshot error message. But if we refresh the same page and again re-add the required field values, save it. It saves with no error message.

 

In our investigation, we found that whenever we disable the record permission, we don't encounter this validation. We even tried eliminating the user roles added in the record permission one after another with all probability, but it did stopped throwing the validation message until it was disabled which is not as per our functional requirement. Also to be noted, this behaviour is only observed in Sub-Project. In Projects, it works fine as expected.

 

What could be the cause for this behaviour? There as well no validation written on the edit page of that detail - Sub-Project.

 

It would be great if you could direct us to solution to fix this

Like 0

Like

0 comments
Show all comments