Studio Creatio
PDF
This documentation is valid for Creatio version 7.14.0. We recommend using the newest version of Creatio documentation.

Object permissions

Business data in bpm'online is stored in “objects”. Each section, detail, or lookup is passed on a corresponding object, which,in turn, roughly corresponds to a database table.

Note

For more about technical aspects of bpm’online objects, please refer to the “Creating the entity schema” article of the development guide.

In bpm’online, working with access to data involves managing object permissions. The Object permissions section of the System Designer is designed for this purpose.

You can manage objects on three levels: operation permissions, record permissions and column permissions. In the object permissions management section (Fig. 1) you can see whether permissions in each object are managed by operations, records and columns.

Fig. 1 Section objects and their access levels

chapter_objects_permissions_object_permissions_interface.png 

Access to operations with the object

Operation permissions enable you to grant or limit the ability to create, read, update or delete object data (CRUD operations) for individual users or roles.

Note

Object operations should not be confused with “system operations”, which you can manage in the [Operations permissions] section. Learn more about system operations in the “System operation reference” article.

  • If the [Operation permissions enabled] checkbox is cleared, all users can create, read, update or delete all records in the object.

  • If the [Operation permissions enabled] checkbox is selected, the ability to perform CRUD-operations in the object is only available to those users and roles who were granted these permissions specifically. All other users (apart from system administrators) do not have access to the object. For example, only individual users can add new records. Users and roles that do not have operation permissions to this object will not be able to create, read, update or delete data in it.

Learn more about setting up access to operations with objects in the “Managing object operation permissions” article.

Access to object records

This option enables you to manage the permissions to read, update or delete specific records in an object, as well as to delegate these permissions. By default, a new record is only accessible to its owner and the system administrator. Record owners configure access permissions to their record individually (learn more in the “Access rights” article). A system administrator can configure a set of rules for automatically granting access to a new record to certain users or roles, based on the record author.

  • If the [Record permissions enabled] checkbox is cleared, all users can create, read, update or delete all records in the object (provided that they have corresponding operation permissions to the object).

  • If the [Record permissions enabled] checkbox is selected, individual users or groups can perform separate CRUD-operations with individual object records (provided that they have corresponding operation permissions to the object). For example, only certain users or roles can view and edit specific accounts or contacts.

Learn more about setting up access to object records in the “Managing record permissions” article.

Access to object columns

This option enables you to configure access permissions to specific fields in sections, details and lookups. A field is a visual representation of a database column.

  • If the [Column permissions enabled] checkbox is cleared, all users can access values in all object columns, provided that they have access permissions to object operations and access to corresponding records.

  • If the [Column permissions enabled] checkbox is selected, only specific users and roles can access values in object columns, provided that they have access permissions to object operations and access to corresponding records. For example, only individual users can view the annual revenue of accounts or change a contact type.

Learn more about setting up object column access in the “Managing column permissions” article.

The [Operation permissions enabled], [Record permissions enabled] and [Column permissions enabled] checkboxes in the list are view-only. They change automatically, based on the permissions that you set up for each object. If all checkboxes are disabled for an object, then all users have full access to the object and have permission to create, read, update or delete its data in all records and all columns. Learn more about different access permission options in the “Managing object operation permissions”, “Managing record permissions” and “Managing column permissions” articles.

Selecting an object to set up access permissions

In bpm’online, you manage access to sections, details, and lookups through their respective objects. To restrict access to data of a particular section, detail, or lookup, you need to set up access permissions to the object where those records are stored. The objects are available in the [Object permissions] section of the System Designer.

The same object can act as a data source for a section, several details and lookup fields. That is why identifying which object you need is paramount.

Use filters to view the list of “section”, or “lookup” objects only. By default, the list in the [Object permissions] section shows only section objects (including objects used in custom sections). Select the “Lookups” filter to display only objects that correspond to registered lookups.

Note

If you select a filter and search for a particular object, bpm’online will only search for objects that correspond to the selected filter. For example, if the “Sections” filter is selected in the list, and you are looking for a lookup, the necessary object will not be found since the list displays exclusively section objects.

Use the search string in conjunction with the filter to find the object you need.

Configuring access to a section

To set up access to a section, select the “Sections” filter and start typing section name in the search box. The name of the object usually corresponds to the name of the section in the singular. For example, the [Contacts] section object is called “Contact”, the [Documents] section object is called “Document”, etc. (note that custom sections and objects may not follow this rule).

Below are a few examples of section names and their corresponding object names.

Section

name

Object title

Database object

name

Contacts

Contact

Contact

Accounts

Account

Account

Activities

Activity

Activity

Opportunities

Opportunity

Opportunity

Landing pages and web forms

Landing page (web form)

GeneratedWebForm

Click on the object’s name to begin configuring its access permissions. Note that only object names and titles are clickable in the list. Learn more about setting up different types of object permissions in the “Managing object operation permissions”, “Managing record permissions” and “Managing column permissions” articles.

Configuring access to a lookup

To configure access to a lookup, select the “Lookups” filter and specify the object name in the search box. A lookup object name is usually identical to the lookup name or corresponds to the name of the lookup in the singular. For example, the [Currency] lookup object is named “Currency”.

Below are a few examples of lookup names and their corresponding object names.

Lookup

name

Object title

Database object

name

States/provinces

States/provinces

Region

List of objects available to portal users

List of objects available to portal users (view)

VwSysSSPEntitySchemaAccessList

Email templates

Email template

EmailTemplate

Noteworthy event types

Noteworthy event types

AnniversaryType

Opportunity categories

Opportunity categories

OpportunityCategory

Click on the object name to begin configuring its access permissions. Note that only object names and titles are clickable in the list. Learn more about setting up different types of object permissions in the “Managing object operation permissions”, “Managing record permissions” and “Managing column permissions” articles.

Configuring access to a detail

A detail is a record page element that displays a list of records that are connected to the current record. Most details display section records, e.g., the [Contacts] detail on the account page. Several details use their own dedicated objects as data sources, e.g., the [Addresses] and [Noteworthy events] details. To configure access permissions to a detail, first determine which object serves as the data source for the detail. If the detail displays section data (e.g., the [Contacts] detail on the account page displays data from the [Contacts] section), set up permissions to the corresponding section object. If the detail displays lookup data, the access is configured for an object, which corresponds to that particular lookup. If the detail has its own object, the access is configured for that particular object.

Note

You can look up the name of the detail object in the Section Wizard. Locate where the detail is used, and find the [Detail] field in the edit mode.

Make sure you select the “All objects” filter before searching for a dedicated detail object in the [Object permissions] section. If the detail displays the data of a particular section, the name of the detail object corresponds to the section name. For example, the name of the [Contacts] detail object in the [Accounts] section is “Contact”.

If the detail displays lookup data, in most cases the name of the object corresponds to the name of the lookup.

The name of a dedicated detail object usually combines the name of the detail and the section in which it is used (singular). For example, the [Attachments] detail object in the [Contacts] section is named “Contact attachment”.

Below are a few examples of detail names and corresponding object names.

Section

name

Detail

name

Object title

Database object

name

Contacts

Communication options

Contact communication options

ContactCommunication

Accounts

Communication options

Account communication options

AccountCommunication

Contacts

Addresses

Contact address

ContactAddress

Accounts

Addresses

Account address

AccountAddress

Contacts

Job experience

Contact job experience

ContactCareer

Accounts

Banking details

Payment details of the account

AccountBillingInfo

Contacts

Attachments and notes

Contact attachments and notes

ContactFile

Any

Activities

Activity

Activity

Click on an object name to begin configuring its access permissions. Learn more about setting up different types of object permissions in the “Managing object operation permissions”, “Managing record permissions” and “Managing column permissions” articles.

Configuring access to feed messages

Access permissions to feed are inherited from access permissions of the object where the feed message is posted. For example, if a user has permissions to read or create records in the [Accounts] section, they can view and create messages in the account’s feed. However, they can only edit and delete their own messages. To grant access permissions to feed messages in a specific section, grant access permissions to that section object. Learn about finding the needed objects in the “Configuring access to a section” article.

To begin configuring operation, record and column permissions, select an object of the necessary section by clicking on its name or title. Learn more about setting up different types of object permissions in the “Managing object operation permissions”, “Managing record permissions” and “Managing column permissions” articles.

Configuring access to tags

There is a separate object for storing tags for each section with each object record being a separate tag. The object title looks like this: “<section name> section tag”. For example, “Feed section tag”, “Activity section tag”, etc.

Note

Before searching for the tag objects, in the [Objects permissions] section, make sure you select “All objects” filter.

Click on an object name to begin configuring its access permissions. Note that only object names and titles are clickable in the list. Learn more about setting up different types of object permissions in the “Managing object operation permissions”, “Managing record permissions” and “Managing column permissions” articles.

Configuring access to a section folders

There is a separate object for storing folders of each section, with each object record being a separate folder. The object title looks like this: “Section folder - <section name>”. For example, the title of the object that stores the folders of the [Contracts] section is “Section folder - "Contracts””. The object title also may consist of the word “folder” and the section name in singular. For example, the folder object title for the [Contacts] section is “Contact folder”.

All folder objects are managed by records, i.e., by default, a folder is visible only to the user who created it, with the ability to share the folder with other users via the [Set up access rights] button (Fig. 2).

Fig. 2 Access permissions to the “My activities” folder in the [Activities] section

chapter_object_permissions_group_permissions.png 

Configuring access to dashboards

Bpm’online section analytics, as well as the analytics available in the [Dashboards] section are stored in a separate “Dashboard” (SysDashboard) object.

If the “Dashboard” object is not managed by records, all users have full access to all dashboards. If the object is managed by records, access permissions to individual dashboards are configured via the [Set up access permissions] button in the analytics view (Fig. 3).

Fig. 3 Configuring access permissions to the “Dashboards” view in the [Contacts] section

chapter_object_permissions_dashboards_permissions.png 

Inherited access permissions

Subordinate objects, such as details, can inherit access permissions from parent objects (e.g., corresponding sections). For example, account communication options can inherit access permissions of the parent account. In this case, any user who has no permission to edit the primary record (e.g., account) cannot edit the subordinate records (e.g., communication options of that account) either.

This functionality is disabled by default. You can enable it for separate objects in the Object Designer, available in the [Configuration] section of bpm’online advanced settings page.

NOTE

More information about working with the Object Designer and the [Configuration] section is available in the “The [Configuration] section” article of the Development Guide. The “Workspace of the Object Designer” article provides a description of the Object Designer.

Open the Object Designer; display all object properties (Fig. 4); in the [Object to inherit access permissions from] field, select the parent object, whose access permissions will be inherited by the current object (Fig. 5).

Fig. 4 Switching the object properties area to the “advanced” mode

chapter_objects_permissions_inheriting_permissions.png 

Fig. 5 Inheriting access permissions from the parent object

scr_object_to_inherit_access_permissions_from.png 

Next

Managing object operation permissions

Managing record permissions

Managing column permissions

Did you find this information useful?

How can we improve it?