Defining record level security rules

Use record level security rules to control access to individual objects in a folder.

Before you begin

You must enable System Admin Mode before you can define record level security. For more information, see Enabling and disabling System Admin Mode.

Review the following information: Best practices for security rules

Procedure

  1. Click Administration menu > Users and Security > Security Rules.
  2. Click the name of the object type for which you want to define a security rule.
  3. In the Record Level Security Rules section, click Add.
  4. Add a name and description for the security rule.
  5. In the Security property, specify how the security rule is combined with role-based security.
    • Select Restrict to apply both the role-based security and the security rule.

      This option configures more restricted security. For example, if role-based security is set to Read and the security rule is set to Update, the Restrict setting provides read only access.

    • Select Extend to bypass role-based security when the outcome of the formula is true.

      For example, if the role-based security is set to Read and the security rule is set to Update, the Extend setting allows a user to update information.

  6. Specify the access controls.
    For more information, see Minimum access controls for object operations.
    Note: Security rules for Create access are defined separately from rules for Read, Update, Delete, and Associate access. When you click Create, the other access options are unavailable.
    Create
    Users can create objects.

    When a rule allows users to create objects, the formula cannot include fields within the object. It can include fields from the parent hierarchy, and other conditions that do not include fields. If you select Create, you cannot select any other access control for the rule.

    Note: When you define record level security rules for the Create access control, use them only to further restrict role-based security.
    You must use the Intended Parent term in the field when you use Create.
    Read
    Users can view the object.
    Update
    Users can modify the object.
    Delete
    Users can delete the object.
    Associate
    Users can define associations or disassociations between objects.

    When a rule allows users to associate objects, the formula cannot include fields within the target of the association. It can include fields from the child hierarchy, and other conditions that do not include fields.

  7. Add the formula for the security rule.

    You can type the formula or use Add Path, Add Field, and Add Terms to define parts of the formula. You can also use a combination of them. For more information, see Grammar for security rules.

    1. To reference another object, either a parent or child, complete the following actions.
      For more information, see Paths for parent and child objects.
      1. Click Add Path.
      2. Click Parent or Child and select whether the path follows parent objects or child objects.
      3. Click Starting Object Type and select the object type that is the starting point for the path.
      4. Click Ending Object Type and select the object type that is the ending point for the path.
      5. Click Search to view the possible paths.
      6. Select one or more paths. If you select more than one path, use Combine Paths to specify how to use the multiple paths. Select Any Path if you want to use any of the paths or select All Paths if you want all paths to be used for the rule to be applied.
      7. Click Insert.
    2. To define a field condition, complete the following actions.
      For more information, see Terms for data types.
      1. Click Add Field.
      2. Select an object type.
      3. Select the field that you want to use.
      4. Select an operator. The list of operators changes depending on the field data type.
      5. Enter the value of the field condition.
      6. Click Insert to add the field condition into the rule formula.

      If you type the field condition, ensure that you use system names. If you do not specify an object type, the rule uses the object type for the object to which the rule applies. If you specify an object type, the object type must be either the subject of the rule or be specified in a path expression that contains the field reference.

      You can use square brackets to ensure that when elements of field references contain spaces or other special characters, these field references are parsed.

    3. To add operators or keywords, click Add Terms.
  8. Click Validate.
    For more information, see Validating a formula for a security rule.
  9. To enable or disable the security rule, click Status.
    For more information, see Enabling or disabling a security rule.
  10. Click Add.