Security rules

You can create two levels of security by using security rules:

Record level security allows administrators to control access to individual objects in a folder.
Field level security allows administrators to control access to individual fields within an object.

Security rules do not replace role-based security. Instead, they provide an extra level of security that can work with role-based security.

Consider this example of record level security. A folder contains 10 tasks. The role-based security grants the Read and Write access controls to all users in a certain role. You define a record level security rule to limit the access for one user who is in that role so that this one user has Read access for Task 1 and Task 8 only.

You can extend the example to field level security. Task 1 contains 10 fields. You can define a field level security rule to limit the access for one user in a certain role. This user has Read access for Field 3 and Field 7 only.

You define security rules for individual object types. After you have defined them, they are applied to all system components, including Reporting, FastMap, Triggers, Reporting Periods, and all available views.

A security rule comprises two parts:

A formula that determines the conditions for granting the access controls.
- The formula can be based on these field values: Actor fields, Enumerated fields, Text fields, Date fields, Numeric fields, and Currency fields.
- The formula can be based on a user who is a member of particular user group or profile.
- Complex formulas can be based on associations between objects.
- The formula can support complex expressions that use terms such as AND, OR, NOT, and nested parentheses.
The access controls that specify the object access permissions or field access permissions.
- A record level security rule can specify Create, Read, Update, Associate, and Delete access to object instances.
- A field level security rule can specify Read only, and Read and Update access to non-system fields within an object.

Security rule formulas have the following restrictions:

They do not support computed text fields.
They do not support long string fields.
They do not support NULL values.
The NOT operator does not return objects that have an empty, blank, or null value in the selected field criteria.
They do not support encrypted simple string or long string data type fields.
When you use a Multi-Valued User/Group Selector in a security rule, the user or group that you specify in the formula must already exist in your environment.
The functions that are used in security rule formulas are available in English only. For example, when you add a path to a security rule, the options in the Parent or Child list are in English only.

Note: Security rules are not applied to administrators. They have full permissions for all objects and fields.