Security rules

You can create two levels of security by using security rules:

Record level security allows administrators to control access to individual objects in a folder.
Field level security allows administrators to control access to individual fields within an object.

Security rules do not replace role-based security. Instead, they provide an extra level of security that can work with role-based security.

Consider this example of record level security. A folder contains 10 tasks. The role-based security grants the Read and Write access controls to all users in a certain role. You define a record level security rule to limit the access for one user who is in that role so that this one user has Read access for Task 1 and Task 8 only.

You can extend the example to field level security. Task 1 contains 10 fields. You can define a field level security rule to limit the access for one user in a certain role. This user has Read access for Field 3 and Field 7 only.

You define security rules for individual object types. After you have defined them, they are applied to all system components, including Reporting, FastMap, Triggers, Reporting Periods, and all available views.

A security rule comprises two parts:

A formula that determines the conditions for granting the access controls.
- The formula can be based on these field values: Actor fields, Enumerated fields, Text fields, Date fields, Numeric fields, and Currency fields.
- The formula can be based on a user who is a member of particular user group or profile.
- Complex formulae can be based on associations between objects.
  For example, a loss event is owned by the business unit where it occurred and is also shared with other business units that are impacted by the loss event. Selected users of the other business units should see its details.
- The formula can support complex expressions that use terms such as AND, OR, NOT, and nested parentheses.
The access controls that specify the object access permissions or field access permissions.
- A record level security rule can specify Create, Read, Update, Associate, and Delete access to object instances.
- A field level security rule can specify Read only, and Read and Update access to non-system fields within an object.

A security rule formula has the following restrictions:

They do not support computed text fields or large text fields.
They do not support NULL values.
The NOT operator does not return objects that have an empty, blank, or null value in the selected field criteria.
They do not support encrypted simple string or long string data type fields.

Note: Security rules are not applied to administrators. They have full permissions for all objects and fields.