there are VIP contacts, which may only be edited/deleted by a certain organizational role. The contacts are considered VIP contacts if they have a certain record in a related detail table. To achieve this, I can’t use object permissions (because I can't set conditions there), but I think it will work with a business process, triggered by the creation of the detail record and removing and granting permissions on the contact with the “change access rights” process element.
But we also have the requirement, that only the mentioned role can see sensitive data like the mobile phone number. How can I achieve this?
I slved the first part (revoking edit/delete permissions for VIP contacts) but still struggling with the second part (revoking read access to sensitive fields).
thanks for the reply, but this is not solving the issue. The reason is that I have to conditionally restrict access to the field.
Only when the contact is a VIP contact (that is, if it has a certain detail record), the sensitive fields should get accessible only by a certain role.
If I use column permissions, the field (eg the mobile number) will be restricted on every contact, not just VIP contacts.
If the protections on data are to comply with legal regulations, then client-side hiding or editing restrictions are not enough. I don't know what Robert's requirements for this are, but suggesting client-side logic to hide sensitive data without knowing why its access needs to be restricted is dangerous.
you are absolutely right and I do not want a solution to hide the data via the UI.
The requirement is not based on legal regulations, but nevertheless, I want a robust solution where the user can't access the data no matter what he/she tries (the user could add the sensitive field in the list for example).
Unfortunately, I haven't found such a solution that is doable with the means of creatio permissions.
It would be a nice feature, given that Creatio has the ability to do row level security on a per-user basis, but it isn't possible currently.
The closest thing I could think of would be to have an extension table holding the sensitive data, which has its row level security applied by the Business Process you mentioned, but from what I can tell Creatio doesn't support extension tables either, so it would be a very code-intensive process of building that functionality in Creatio first...
Sorry I can't be of more help, hopefully others have some better ideas.
I created a process which will give access to a particular portal user permission to read and edit record. The portal user name is filled in the record page.
Process first triggers when a record is added then it read the portal user name in the record and assigns the access permissions. But the process is not giving access rights to the portal user.
Can any one help ?
Here are the screen shots : -
1. Process
2. After adding record and process completion, the access rights
It is necessary to grant the rights not to User role but for the Employee where you should indicate the value of the Borrower field http://prntscr.com/stoezu . It should be something like this [#Read Borrower.First item of resulting collection.Borrower#]
As for now you try to grant the rights to some role and the system cannot identify it.
I assigned the access role in process for employee. And the process works now.
But why can't we do for User role.
Even if it works with employee role. The borrower is not an employee. He/She is an end user who will fill the form. Why does it have to be assigned in Employee role.
The thing is that your process doesn't read the user role. It would be necessary to find the user's role first using additional read data elements and based on which role is found by, use it in Role parameter instead of Employee.
I want to give record permission per Area, I have 100 plus areas, so basically i need also to maintain all these areas as organizational role to assign the role properly. Now these areas are not fixed, it is changing from time to time. Another new area record might be added on the next day, so we need again to manually add this new area as a new organizational role. Also we need to add the users under this newly added added organizational role.
Any suggestion what could be the best approach for this scenario? is it good practice to maintain so many organizational roles? in my case it will be 100 plus and counting.
The suggestion is to a new column to SysAdminUnit table with link to Area. So whenever the new Area is added to the system, system will automatically check if there is a role with this area and if not - create a new role. Also, I believe when you are adding users to the role, you are following some logic (e.g. user.Contact.Area = area) so after this operation you can also automatically add users to that role.
Please note that it is a complex task so will have to think about structure and the way you want to run this procedure. If the record is added in the UI you can handle it by business process for example, but if areas are created from some kind of integration - you would need to come up with different approach depending on the integration that you are using. The structure of organizational roles is also important. I suggest you to create a new role 'Area roles' and when you are checking if the role exists, or creating a new role - this role should be the parent role.
Thanks Dean, this is what I am looking for, how about giving permission to access the Functional roles and organizational roles. I already checked all the items under operation permission but i am not able to get the permission related to this.
Currently Role's Managers can see all data of their members. That's ok for most of data records.
However, for self-created folders and dashboards, those are just personal view on the data. There should be private folder & dashboard, which even manager cannot see unless they are shared.
By default, the filtering folders are only visible for those who created them. As for dashboards, it is vica versa - if a user creates it - everyone can see it. You will have to change the access rights on the object to hide it from everyone.
We will register your idea to implement the functionality that would allow to hide the dashboards from all other users accept for a creator by default.
Any Idea how I can give read permission to access SysAdminUnitPage to non Admin Users (Please refer to first screenshot below). I am also triying to give default read permission but the new button is disabled (Please refer to second screenshot below).
If you want certain role to access users section you can use CanManageUsers operation permission. We do not recommend enabling or changing access right for System administration object. Users with CanManageUsers will be able to view users and change their login/passwords. The will not be able to change licenses or roles.
Hi Angela, Thanks for your reply, I alredy tried but it seems it is giving all the permissions, what I want is only read permission. Any Idea how can I achieve this?
Please note that SysAdminUnit is a system table and almost all of other table are in connection with SysAdminUnit, so making any changes to this section is a pretty dangerous operation.
Information that is stored in this table is intended for system administrators and should not be processed by a regular user.
However, you always can create your own section and fill it with data from the "System users" section via business process.
I have a query with ESQ on "EmployeeMiniPage" to validate that the "NroLegajo" field in the Employee entity is not repeated. When I apply certain permissions on a record so that only certain users can see it, the query not consider that record when I log in with a user who does not have permissions, and therefore allows me to enter an existing "NroLegajo" that belongs to that record. To solve this I set the "QueryJoinRightLevel" system variable with value "2" (Disabled) but it does not work.
I reassigned and denied permissions on the registry to do the test and when I logged in with the user who does not have permissions on the registry I can continue entering a repeated value in the field "NroLegajo"
In order to omit rights check you can create an ESQ on the server side by the means of C#. However, instead of using UserConnection, you can use SystemUserConnection, which would let you execute the functionality no matter under what user.
"Script task" business process element or service will perfectly fit and cover the task. Choose the means more comfortable for you.
Here is how to obtain SystemUserConnection:
private SystemUserConnection SystemUserConnection {
get {return _systemUserConnection ??(_systemUserConnection =(SystemUserConnection)AppConnection.SystemUserConnection);}
Here is an article of how to build ESQ on server side. Though, its pretty much the same as on the client side:
3. Override a basic save() method and firstly insert a validation, that if this.get("ESQCompleted") true, than we call parent function, if not, than run service call, as in the article.
4. In the response, based on the result, you either show information dialog regarding existing duplicate, or set attribute to true and call save method again.
Sorry, for the delay in the response. When working with the service I found several errors, I could not include the SystemUserConnection variable because it was throwing errors and when working with UserConnection as a test I also get several errors. Am i missing a reference?. I attach the code
namespace Terrasoft.Configuration.Test{using System;using System.ServiceModel;using System.ServiceModel.Web;using System.ServiceModel.Activation;using System.Collections.Generic;using System.Collections.ObjectModel;using System.Data;using Terrasoft.Common;using Terrasoft.Core;using Terrasoft.Core.DB;using Terrasoft.Core.Entities;// Service class is marked with [ServiceContract] compulsory attributes and// [AspNetCompatibilityRequirements] with parameters.[ServiceContract][AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]publicclass EmployeeService
{/*private SystemUserConnection SystemUserConnection {
get {
return _systemUserConnection ?? (_systemUserConnection = (SystemUserConnection)AppConnection.SystemUserConnection);
}
}*/// Service methods are marked with compulsory attributes [OperationContract] and [WebInvoke] with parameters.[OperationContract][WebInvoke(Method ="POST", RequestFormat = WebMessageFormat.Json,
BodyStyle = WebMessageBodyStyle.Wrapped, ResponseFormat = WebMessageFormat.Json)]public string ObtenerCantidadLegajosRepetidos(string nroLegajo, string cuitEmpresa){//var result = nroLegajo + " + output string";
var result ="T";
entitySchemaManager = UserConnection.EntitySchemaManager;
var employeeSchema = entitySchemaManager.GetInstanceByName("Employee");
var esqEmployee =new EntitySchemaQuery(entitySchemaManager, employeeSchema.Name);
var colId = esqEmployee.AddColumn("Id");//Agrego filtros en el query
var filtroCUIT = esqEmployee.CreateFilterWithParameters(FilterComparisonType.Equal,"Account.UsrCUIT", cuitEmpresa);
var filtroLegajo = esqEmployee.CreateFilterWithParameters(FilterComparisonType.Equal,"UsrNroLegajo", nroLegajo);// Adding created filters to query collection.
esqEmployee.Filters.Add(filtroCUIT);
esqEmployee.Filters.Add(filtroLegajo);// Execution of cache to database and getting resultant collections of objects.// Query results will be placed in cache after completion of this operation.
var employeeCollection = esqEmployee.GetEntityCollection(UserConnection);if(employeeCollection == null || employeeCollection.Count==0){
result ="F";}return result;}}}
var SysAdminUnitCollection = esqSysAdminUnit.GetEntityCollection(appConnection.SystemUserConnection)
write:
var SysAdminUnitCollection = esqSysAdminUnit.GetEntityCollection((SystemUserConnection)appConnection.SystemUserConnection)
The thing is that SystemUserConnection inherits from UserConnection so you can pass SystemUserConnection instead of UserConnection
I have configured permissions managed by operations, in which I restrict reading to contacts for certain roles. That brings me problems when reading contact data from a business process, even though it gives permission to the contact from the process, the reading does not work. How could I hide the contacts section without losing access to them from another object?
If your goal is just to hide the contacts section but you want to get the ability to read the contacts information for all users, you can try to delete it from the General workplace so that all employees won't see it and restore the read operation permissions to all system users.
System designer -> Workplace setup:
You can add this section to any other workplace and manage the access rules to it or create your own to fulfill your needs.
Thanks for the reply. I delete the section from the General workplace and restore the read operation permissions to all system users. How could I hide the link to Contacts from the main page?
To hide the link to the section from the main page you need to go to the Configuration, replace SimpleIntro schema, copy the code from the original schema to it and apply the necessary changes to the code. Specifically, to hide the link to the Contacts section, you need to comment the following code part:
