Configure object permissions on several levels:
- Operation permissions. Learn more in a separate article: Object operation permissions.
- Column permissions. Learn more in a separate article: Column permissions.
- Record permissions. This article explains how to configure permissions to read, edit, and delete individual records of a particular object.
The system administrator can manage permissions to read, edit, or delete individual records, as well as the ability to delegate these permissions.
To enable the record permissions, toggle on the “Use record permissions” switch in the Object permissions section of the System Designer. The permission mechanism is based on the record authorship. If the record author is a member of the role specified in the “Record author” column, Creatio will grant permissions to the receiving role specified in the “User or role who obtains permissions” column. If the receiving role is subordinate, its management role will inherit the granted permissions.
By default, Creatio grants maximum access permissions to the following users:
-
The system administrators with permissions to the “Add any data,” “View any data,” “Edit any data,” and “Delete any data” system operations. These settings have a higher priority than the settings specified in the Object permissions section.
-
The record author and the management role of the author, including the ability to delegate permissions to other users.
-
The record owner and the management role of the owner, including the ability to delegate permissions to other users.
Learn more in a separate article: Share records.
If you are just getting started with Creatio, we recommend familiarizing yourself with the principles of Creatio object permissions in the e-learning course: User and role management, Access permissions.
In this example, the record authors and the users who receive permissions are the members of the “Sales associates” and “Sales associates. Managers group” organizational roles.
-
Click the button to go to the System Designer, then open the “Object permissions” section.
-
Select the “Sections” filter and choose the “Opportunity” object to configure access permissions to the Opportunities section. Click the object name or title to open the permission setup page of the Opportunity object (Fig. 1).
Learn more in the e-learning course: Object permissions.
-
Toggle on the “Use record permissions” switch to enable record permissions (Fig. 2).
-
Click the Add button. In the box that opens, specify the record author user or role and the user or role that will receive permissions for the record. Use the search bar to quickly find the needed role or user. In this example, you need to add three records (Fig. 3).
-
Click the button and select “Granted” or “Granted with right to delegate” options in the column that corresponds to specific permissions (read, edit or delete) for each user to determine access levels. By default, access permissions are not specified. In this example, grant the following permissions (Fig. 4):
-
Select the “Granted with right to delegate” checkbox for the “Sales associates” role in the Read column, and the “Granted” checkbox in the Edit column to enable sales associates to view records created by their colleagues and delegate this permission to other users, as well as edit the records, but not delete them.
-
Select the “Granted” checkbox in the Edit and Read columns for the “Sales associates” role to enable sales associates to view and edit records created by their managers, but not delete them.
-
Select the “Granted with right to delegate” checkbox for the “Sales associates. Managers group” role in the Read , Edit, and Delete columns of the records created by the “Sales associates. Managers group” role to allow managers to view, edit and, delete records created by their colleagues, as well as delegate these permissions.
-
-
Click Apply.
Permission update is a resource-intensive procedure. Depending on the number of section records, as well as the number of affected users and roles, the update may take 3 minutes or more and affect Creatio performance. We recommend updating record permissions when the load on Creatio is the lowest to avoid this.
Open the access permissions setup page and select “Update record permissions” in the Actions menu to apply new access permissions to existing section records (Fig. 5).
As a result of the update, Creatio will delete the default permissions and add new permissions. During the update, Creatio will not delete permissions you added manually to the record permission page or those configured as part of a business process.