Creatio administration
This documentation is valid for Creatio version 7.16.0. We recommend using the newest version of Creatio documentation.

Managing object operation permissions

Managing access to object operations enables you to assign permissions to create, read, update or and delete (CRUD) operations for all data in an object. Let’s have a look at several typical cases of managing operation permissions.

Note

Object operations should not be confused with “system operations”, which you can manage in the [Operations permissions] section. There are four system operations that cancel any other object permission settings, namely: “View any data” (CanSelectEverything), “Add any data” (CanInsertEverything), “Edit any data” (CanUpdateEverything) and “Delete any data” (CanDeleteEverything). The user with access to the above listed operations will have permissions regardless of the settings in the [Object permissions] section. Learn more about system operations in the [Operations permissions] section.

Configure access to operations in section objects

Configure access to operations in detail objects

Configure access to operations in section objects

Case

Set up the following permissions to the [Opportunities] section:

Sales managers must have all permissions to section records except for the “Delete” permission.

Their managers must have full access to records.

One of the employees with the “Secretaries” role must have a permission to view the section records, while all other secretaries should not be able to view the [Opportunities] section at all.

1.Go to the system designer (btn_system_designer.png button) and open the [Object permissions] section.

2.Select the necessary object in the list or use the search box. For example, to configure access permissions to the [Opportunities] section, select the “Sections” filter and choose the “Opportunity” object. Click the name (or title) of the object to open the object permission settings window (Fig. 1).

Fig. 1 Choosing the section object and opening the permissions settings window

chapter_obgect_permissions_administer_by_operations_section.gif 

Note

Learn more about finding the object in the list in the “Selecting an object to set up access permissions” article.

3.Enable the “Use operation permissions” switch (Fig. 2).

Fig. 2 Enabling the “Use operation permissions” switch

chapter_objects_permissions_section_permissions_administer_by_operations.png 

Note

By default, all employees (the “All employees” organizational role) have the ability to read, create, update and delete all object records. Users in the “All employees” role will have permissions to perform these operations, even if operations permissions are not used and the switch is disabled.

Attention

If you remove the “All employees” role from the settings area, and then disable the “Use operation permissions” switch and apply the changes, users will not be able to see the object records.

4.Click [Add] and select the necessary users and roles. You can use the search box or the [Organizational roles], [Functional roles] and [Users] tabs to quickly find users and roles. In this case:

The “All employees” role (added automatically).

The “Sales managers” organizational role.

The “Sales managers.

The “Secretaries” organizational role.

An individual user from the “Secretaries” organizational role (Fig. 3), e.g., V. Murphy.

Fig. 3 Adding users and roles to grant access permissions to the section

chapter_obgect_permissions_administer_by_operations_adding_roles_and_users.gif 

5.By default, each user or role that you add is granted access to read, create, update and delete object data. Edit these permissions according to your requirements, for example:

Leave the [Read] checkbox selected and clear the [Create], [Edit] and [Delete] checkboxes for the “All employees” role. As a result, all company employees can read section records but cannot create, edit or delete them.

Leave the [Read], [Create], [Edit] checkboxes selected and clear the [Delete] checkbox for the “Sales managers” role. As a result, sales managers will be able to read, create and edit section records without the ability to delete them.

Leave the [Read], [Create], [Edit] and [Delete] checkboxes selected for the “Sales managers. Managers group” role. As a result, sales department managers will have permission to read, create, edit or delete records in the [Opportunities] section.

Clear the [Read], [Create], [Edit] and [Delete] checkboxes for the “Secretaries” role. As a result, the [Opportunities] section will be hidden from the company’s secretaries.

Leave the [Read] checkbox selected for the specific user in the “Secretaries” role. As a result, the user can read records in the [Opportunities] section.

icn_access_rights_priority.png icon may appear next to some permissions. This means that some settings contradict each other, and it is necessary to adjust their priorities.

Hierarchy of object operation permissions

Sometimes the access permissions that apply to the same user or role may contradict each other, since a user may be included in several roles. Also, organizational roles may inherit permissions from one another, for example, the “Sales managers”, “Sales managers. Managers group” and “Secretaries” roles are a part of the “All employees” role. Additionally, permissions granted to an individual user may conflict with permissions that the user may have as a member of their role. These conflicts are indicated by the icn_access_rights_priority00001.png icon next to the conflicting access permission.

In case of a conflict, the permission that is the highest in the list will have a higher priority. The priority is shown in the [Priority] column and the highest possible priority is “0”. An icn_access_rights_priority00002.png icon next to an access permission rule indicates such a “conflict”.    You can drag a rule to change its position in the list (Fig. 4).

Fig. 4 The need to adjust priorities in the list of permission rules

chapter_objects_permissions_section_permissions_permission_priority.png 

Please take the following into account while configuring access permission priorities:

  • A user who is a part of several roles will get the access permissions of the highest role in the list.

For example, all users should not access the [Opportunities] section records, but sales managers (who also belong to the “All users” role) should be given all permissions except those that enable them to delete records. To do this, place the “Sales managers” role higher than “All employees” in the list.

  • To deny access permissions to an operation for a role while permitting the operation for some of its users, place this role lower in the list than the users who need to be granted access.

Thus, if you deny access to the [Opportunities] section for the “Secretaries” role, but grant permission to read data to one of the secretaries, make sure that you move the “Secretaries” below the secretary employee who is supposed to access to the section.

  • Users or roles that are not added to the object operations settings area do not get access to operations and are not included in priority settings.

Configure access permission priorities. To change the rule display order, drag&drop the rule to the necessary position in the list (Fig. 5).

1.Place the organizational role with the highest level of permissions (in our case, “Sales managers. Managers group”) at the top of the list.

2.Place the “Sales managers” role directly below.

3.The “All employees” role and the “V. Murphy” user (who belongs to the “Secretaries” role) have the same access permissions. Thus, you can place them directly below the “Sales managers” role in any order.

4.The “Secretaries” role should be placed at the very bottom of the list since they do not have access to the [Opportunities] section.

5.Save the changes by clicking “Apply” in the upper left corner of the page.

Fig. 5 Setting up access permission priorities

chapter_objects_permissions_section_permissions_result.png 

As a result:

  • Users in the “Sales managers” role have access to the [Opportunities] section with the ability to create and edit section records. Sales managers do not have permission to delete records.

  • Their managers should have full access to these records, including the permissions to delete them.

  • All company employees can read section records but cannot create, edit or delete them.

  • All secretaries, apart from V. Murphy, cannot view the [Opportunities] section records.

  • V. Murphy can read the records in the section.

See also

Configure access to operations in detail objects

Configure access to operations in detail objects

Case

Configure access permissions to the [Attachments] detail in the [Contracts] section. Users in the “Sales managers” organizational role should have full access to detail records.

All other users can only view the files in the detail and cannot edit or delete them.

1.Go to the system designer (btn_system_designer00003.png button) and open the [Object permissions] section.

2.Select the “All objects” filter.

3.Find the “Attachments” object via the search box.

Note

Learn more about finding the object in the list in the “Selecting an object to set up access permissions” article.

4.Click the name or the title of the object to open the access permissions configuration window.

5.Enable the “Use operation permissions” switch (Fig. 6).

Fig. 6 Enabling the “Use operation permissions” switch

chapter_objects_permissions_section_permissions_administer_by_operations_2.png 

6.Click [Add] and select the necessary users and roles. Use the search box to quickly find the necessary users and roles. In this case:

The “All employees” role (added automatically).

The “Sales managers” role.

7.By default, each user or role in the list is granted access to read, create, update and delete object data. Edit these permissions to fit the example requirements:

Leave the [Read], [Create], [Edit] and [Delete] checkboxes selected for the “Sales managers” role. As a result, sales managers can read, create, edit and delete data in the [Attachments] detail.

Leave the [Read] checkbox selected and clear the [Create], [Edit] and [Delete] checkboxes for the “All employees” role. As a result, all employee users can view the data on the [Attachments] detail without the ability to add, edit or delete anything.

8.If necessary, configure access priorities for the selected roles. Adjustments may be necessary if access levels conflict with each other (roles may overlap). For example, the “Sales Managers” role is included in the “All Employees” role. These conflicts are indicated by the icn_access_rights_priority00004.png icon next to the conflicting access permission. Detailed information about priorities is provided in the “Hierarchy of object operation permissions” chapter.

As a result:

  • Users in the “Sales managers” role have full access to the [Attachments] detail.

  • All company’s employees can view the data on the [Attachments] detail without the ability to create, edit or delete anything.

See also

Managing record permissions

Managing column permissions

Did you find this information useful?

How can we improve it?