Access Rights
Business Process
7.15_()
-Service_Creatio
enterprise_edition_()
Making record read-only based on lookup value
Morgan Rees
19:25 Jan 10, 2020

I'd like to make a section record completely read-only based on whether the value of a status column. If the record is Draft, it should be editable, and when it is Active or Inactive it should completely read-only.

We're using a business process to handle the Activation of the record, so I've tried changing the access rights of the record to remove edit and delete permissions, which works to an extent; the record can be put into edit mode (when the Save button is visible), but it cannot be saved, as the user is prompted they lack permissions to save the record.

What I'd really like is so each field is completely locked, so the user cannot even get to the stage where the option to save the record is available. Is something like this possible?

Like 0

Like

5 comments
Reid Burger
01:47 Jan 11, 2020

You can use business rules to make fields editable or not editable based on the value of a field. You will need to create a business rule for each field one at a time. If the condition is not met, the field will not be editable. This does not work for detail records. You will need to use business processes to control edit/delete of detail records or stop the creation of new records based on reading the status field you mentioned. 

Vladimir Sokolov
12:07 Jan 11, 2020

This article can give you some ideas - https://academy.creatio.com/documents/technic-sdk/7-15/how-block-fields-edit-page

Morgan Rees
12:38 Jan 13, 2020

Thanks both for the responses! Do either of these allow a system admin to edit the fields/details? If not, is there a method to implement this?

Dennis Hudson
09:10 Jan 14, 2020

Morgan Rees,

The only option that would work with your requirements is creating a business rule with code, specifying the condition that the checkbox is set to true plus the user doesn't have a system administration organisational role. Unfortunately, the second part wouldn't be possible to do in UI, which is why you would need a development for that. 

Here is an article how to make a business rules with code: 

https://academy.creatio.com/documents/technic-sdk/7-15/bindparameter-rule-how-lock-field-edit-page-based-specific-condition

An article how to identify if the user has a certain role:

https://customerfx.com/article/determining-if-a-user-has-a-specific-role-in-bpmonline/

Reid Burger
18:58 Jan 14, 2020

Morgan,

My workaround for this has been to use the Records Group Editing addon to edit a value which is locked in the edit page. But Dennis's comment is more robust.

I have not tried it, but I thought that I could set a checkbox under column permissions to only editable by admin, then make the business rule dependent on that checkbox. Not sure if that would work. 

Show all comments
system users
Access Rights
Users
7.11
user
To list out system users permissions
Gokul Krishnan
08:56 Oct 21, 2019

Hi Team,

Is there a way to list out all the permissions of all the system users in one go. We are in the process of finetuning the user access as everyone is having a higher level of permissions. I am okay if I can do it via SQL too. Please let me know if this can be achieved in BPM. Via SQL is also fine. Thank you in advance 

Like 0

Like

2 comments
Bogdan Spasibov
17:53 Oct 21, 2019

Hello Gokul!

Unfortunately, this kind of information can not be stored in bpm'online in the way you'd like to have it. As the matter of fact organizational structure can be rather complicated thus displaying of this information in the interface can not be implemented.

You can try to build basic tree of access rights using the following tables and SELECT SQL queries:

- SysAdminUnit (stores information about system users and roles)

- SysAdminUnitInRole (stores information about assigned roles to users)

Gokul Krishnan
01:33 Oct 22, 2019

Bogdan Spasibov,

Thank you :)

Show all comments
Serverside
server-side
c#
insert
Access Rights
(SOLVED) How to insert from server side with access permissions ?
Midun
20:14 Sep 12, 2019

How to apply access permissions (object permission) / access right when insert data via server-side?

I have set the record access permission, but when inserting via server-side, the access right does not work. The insert method that I did was in accordance with the article above.

Thanks.

Like 0

Like

1 comments
Norton Lingard
13:12 Sep 13, 2019

Hi,

It is possible adding data via server-side with access permissions using the “Entity” class. Please find more information with the examples by the link below:

https://academy.bpmonline.com/documents/technic-sdk/7-13/working-database-entity-class

Best regards,

Norton  

Show all comments
Access Rights
Owner
Opportunity
opportunity contacts
Assign record ownership to an organizational department
Kavian Abhari
21:54 Sep 10, 2019

Hi folks,

 

Is there any possibility to assign an organizational role as an owner? Fir example, a sales rep will send an opportunity to Collection department, so the access permission "round robin" changes to Collection department, instead of an employee.

 

Thanks

Like 0

Like

1 comments
Dean Parrett
19:46 Sep 13, 2019

Dear Kavian,

It is not possible to assign the role as an owner. The owner should only be some user's contact. However, you can assign some contact from the required organizational role and create the process that would read the owner's role and  give the access to the record for the whole organizational role. So basically once the owner is assigned, the rights will also be distributed to the members of his role. Thus at least the role will be able to access the record.

The other solution would be to create multiple lookup fields based on the contact object where you will be able to select multiple users from some particular role to operate with them according to your business logic. 

Best regards,

Dean

Show all comments
merge
account
Access Rights
7.13_()
Duplicate merge allow access
aaykay
04:58 Apr 23, 2019

Hi.

 

I want to be able to allow access to some users to merge the records but do not want to give the access to others.

 

How do I do it?

Like 0

Like

2 comments
Oleg Drobina
05:26 Apr 23, 2019

Hello,

In "Operation permissions" section of system designer (see screenshot http://prntscr.com/nfjxsf) there are two records called "Duplicates processing" and "Duplicates search" that are responsible for duplicates merging and duplicates search respectively. You need to add records about roles or users to those permissions so those users or roles could be able to find and merge duplicates.

Best regards,

Oscar

aaykay
08:14 Apr 23, 2019

I was looking for "Merge" and didn't realise it was called Duplicates.

 

Thanks for help.

Show all comments
Run Process
studio
Access Rights
7.13_()
Restrict access to custom process
Janine White
02:18 Apr 06, 2019

How do you restrict access to a custom process? For example, if I want to ensure that only System Administrators can run a process, is the only way to restrict who can run the process by checking the current user in the process?

Like 0

Like

1 comments
Alex_Tim
15:19 Apr 08, 2019

Hello Janine,



Unfortunately, bpm'online has no business process rights functionality.

Your suggestion to check the current user in business process seems to be a nice workaround. I think the most convenient way to implement it in script task.



Best regards,

Alex

Show all comments
Discussion
actions
Access Rights
Simplify Change access rights System action
Janine White
21:36 Mar 11, 2019

Currently the access rights changes are separated into remove and add.  Selecting access rights changes is confusing because the checkboxes do the opposite things in the sections. It would be much simpler and intuitive to have one list of User(s)/Role(s) and use the check boxes to indicate what the state they should be in regarding reading, editing and deleting when the process step is completed. The question displayed could be, "Which access rights to assign?"  This could instead be implemented in a new System action, "Assign access rights," to avoid potentially impacting existing processes that use Change access rights.

3 comments
Oleg Drobina
22:15 Mar 11, 2019

Dear Janine,

Well, changing of access rights is easy enough in the application now and quite flexible. Here is an Academy video regarding your question and it contains full description of operations needed to be done to apply right object permissions.Here is also an article regarding setting a business process that will apply access rights even in much more easier way than using object permissions. If you need to change access right dynamicaly - you can create a business process that will change those access rights and also will ask you a question which access rights should be assigned. It can be easily done with the help of "User Dialog" and "Change access rights" elements.

Best regards,

Oscar

Janine White
23:42 Mar 11, 2019

Oscar Dylan,

Yes, I know how to use Change access rights to do so.  However, it is a confusing implementation, not only for me but also for other members of my team building processes. The display of permission is not consistent in the application or with other displays of access permissions.  Typically, there is a single table that displays all permissions and if a checkbox is checked, the value is true and the permission is available, for example, if the checkbox under view is checked then users can view.  However, the Change access rights System action violates this.  In one section of the dialog, the checkbox means that users can view, while in another section, the opposite is true, leading to confusion and increased training time. The permissions in the Advanced Settings are displayed as I requested, but the Change access rights permissions display in a contradictory manner.

Oleg Drobina
20:39 Mar 12, 2019

Janine White,

Change access rights business process element was designed to make the process of granting and changing access rights more flexible and so users could ignore using "Object permissions" that are difficult to understand a little bit. Okay, I agree with you that this is hard to work with access rights in our application now so I will create an idea for our R&D team so they could modify changing access rights logic and UI and make it more user-friendly. thank you for reporting this isdea to us!

Best regards,

Oscar

Show all comments
Self service portal
Access Rights
7.13_()
service
Limiting what Accounts Portal Users Can See
Mitch Kaschub
06:37 Mar 08, 2019

Hello, we want portal users to have read only access to the Account column on the Portal Cases Page. However, we don't want them to be able to go to the main portal section list page and be able to open a filter menu that shows all of our Accounts in the system. 

Is there a way to limit which accounts will show up when a portal user clicks filter and Accounts in the portal case section list page?

 

I believe changing access rights to the account object to "manage by records" would work, then we could give portal users access to only the accounts we're ok with them seeing, but this sounds like a cumbersome solution, so are there any other suggestions? Anything easier?

Like 0

Like

3 comments
Angela Reyes
00:09 Mar 09, 2019

Dear Mitch,

The solution for your task depends on which account do you want to show - will it be a static list of specific accounts or is it dynamic list? 

You may use business rules for account lookup to filter what records it will show.

Best regards,

Angela

Mitch Kaschub
19:24 Mar 11, 2019

Angela Reyes,

It would be a dynamic list, our portal users are Strategic Partners who have multiple accounts under their umbrella. If a new account gets added to that Strategic Partner's umbrella, the portal user should have access to see that account. For example, we have 1200+ accounts in our system, but the portal user should only see about 100 of those accounts. This number could change as clients come and go.

(However, a static list that we would have to manually update would be better than nothing.)

For the business rule, does that work for the filters on the list view in the main portal case section? I thought business rules only worked on the portal case page on a specific column. I did not know it could be used on the list view of all case records, is that possible?

Mitch Kaschub
00:15 Mar 14, 2019

I was able to answer my own question. The business rule only worked on the account page, it did not change the options in the filter on the Portal Cases section list view: http://recordit.co/9lfKHFP19H

However, with the SQL console app I was able to use a query to remove all portal users access to account records I don't want them to see. Then I changed the "manage by records" default settings so portal users don't get access to any more accounts unless I assign it manually.

delete from sysaccountright where sysadminunitid = ‘(id of portal user)'

 

Show all comments
lookup
Access Rights
7.13_()
service
Access to Lookups
Mitch Kaschub
22:41 Feb 18, 2019

Can you control access for users to which lookups they can view and edit? I see there is an operation permission called Access to "Lookups" section. But what if I want the user to only be able to edit one lookup? Can I control that? or is it an "all or none" type of setting?

 

Like 0

Like

5 comments
Angela Reyes
02:11 Feb 19, 2019

Dear Mitch,

As for now there is no such functionality to set up access rights for certain lookup only. I have forwarded your request to our business analysts. They will evaluate the possibility of implementation in future system releases.Thank you for helping us to make our application better!

Best regards,

Angela

Luis Tinoco Azevedo
18:17 Mar 08, 2021

Hi Angela,

 

any new on this issue?

I have one user that should be able to delete tags of accounts.

 

From what I understand from this article:

https://academy.creatio.com/docs/user/platform_basics/business_data/tags

 

I would have to give her access to the lookups, but she would be getting access to way too many objects.

 

This is one specific case but there are many others were we have an intermediate level user that is not administrator but that should be the owner of 1 or 2 specific lookups, I believe this is much needed.

 

Thanks,

Luis

Angela Reyes
12:53 Mar 10, 2021

Luis Tinoco Azevedo,

This functionality is not released yet, unfortunately. The task is still in progress.

 

Best regards,

Angela

Shailey
13:13 Mar 10, 2021

we had a similar request from our client, we handled it by creating a new workplace and added only  lookup section. and gave access to specific user role. 

Bogdan
10:20 Jun 23, 2023

Adam VanBuskirk,

 

It wasn't implemented yet. There is no ETA for this task for now.

Show all comments
Access Rights
7.12
studio
Table name of Access rights in database
Fulgen Ninofranco
08:29 Nov 11, 2018

Hi Community,

In the database where is this Access rights lets say of [Product Record] being saved?

 

 

Like 0

Like

1 comments
Dennis Hudson
01:03 Nov 12, 2018

Dear Fulgen, 

The information about Rights for records of certain object is stored in the Sys<objectname>Right, in your case - SysProductRight. 

Best regards, 

Dennis

Show all comments
Subscribe to Access Rights