Hello,
I have a custom entity, one of its records is of a sensitive nature. How can I restricts others from accessing or even viewing this record. Though based on Security Roles, all users are allowed to read and write these this entity.
Your assistance is so much appreciated.
Regards, Simon
*This post is locked for comments
Hi Aric Levin,
We tried what you suggested above, still the other user is able to see the record.
1. We created the separate business unit(XYZ) and assigned different parent BU (ABC)
2.created a new team(A) in newly created business unit (XYZ).
3.Created new security role with access to custom entity to level of business unit alone.
3.Assigned security role to team (A).
4. Created a record on custom entity and assigned it to the newly created team
5. We tried to login with differnt user who is not part of business unit(XYZ) and tried to read record , still he is able to do it.
Would you please advise here, It would be very grateful if we find some solution.
Hi Simon,
you either have to do it through the security roles/business units as Aric suggested or, your other option (though, quite frankly, I would rather go the "security roles" route) might be to create a plugin (retrieve and retrieve multiple ) to exclude those sensitive records from the results and to display error message when somebody tries opening such records (based on the user id/role/etc). There will be backdoors, though.. For example, SSRS reports(including those created with the report wizard) will bypass retrievemultiple plugins
Hi, that is a good enough situation to do this.
PARENT BU - CONTAINS ALL USERS
CHILD BU - NO USERS, CONTAINS 1 TEAM (NO USERS)
ALL USERS - CHANGE ORGANIZATION READ ACCESS TO BUSINESS UNIT READ ACCESS
RESTRICTED RECORDS - SET OWNERSHIP TO CHILD BU TEAM
USERS THAT NEED ACCESS TO RESTRICTED RECORDS - EITHER CREATED ANOTHER SECURITY ROLE FOR THEM (WITH ORGANIZATION READ ACCESS) OR MAKE THEM MEMBERS OF THE CHILD BU TEAM OR SHARE THE RECORDS WITH THEM.
I think the keeping your ORGANIZATIONAL STRUCTURE AS IT IS WILL NOT ALLOW YOU TO IMPLEMENT THIS,
The other route is using Plugins on the Retrieve and RetrieveMultiple messages or possibly using Access Teams, but that would complicate things as well.
Thank you Aric for the quick response.
Unfortunately, that won't help, as I have a single BU (default), and all users belong to this BU, and all users have a security role that has Read/Write on Organizational level
The easiest way would be using Business Units and Security Roles.
Not sure how many business units you already have, but set the ownership of the sensitive records to a user or team in a different business units. Make sure that all users that are not supposed to be able to read those records do not have READ permissions to that business unit. This means that their read permissions would be a different business units only (or parent-child). The users that should be able to see the data of that business unit, should have organization read access, or have the records shared with them or a team they belong to.
Hope this helps.
Stay up to date on forum activity by subscribing. You can also customize your in-app and email Notification settings across all subscriptions.
André Arnaud de Cal... 291,240 Super User 2024 Season 2
Martin Dráb 230,104 Most Valuable Professional
nmaenpaa 101,156