Using custom business logic to manage record permissions
You can use business processes to grant or deny access permissions to a Creatio record. Any event can trigger the process automatically on specific conditions.
Example
Each time a contact’s type is changed to “Employee”, all users are stripped of their permissions to edit or delete the contact, and only members of the “HR. Managers group” organizational role can view, edit or delete it.
Business process diagram elements (Fig. 1):
1.The [Signal] start event triggers the process when a contact’s type is changed to “Employee” and records the Id of the contact record.
2.The [Change access rights] process element sets permissions to edit or delete the contact record. This element can obtain the contact’s id from the [Signal] element.
Fig. 1 The “Change access permissions to modify new employee record” business process
On the process diagram, add the [Signal] start event and specify its parameter values (Fig. 2):
1.In the [Object] field, select “Contact”.
2.In the [Which event should trigger the signal?] field, select “Record modified”.
3.In the [Changes expected] field, select “In any of the selected fields”, and add the “Type” column.
4.In the [The modified record must meet filter conditions] field, select “Type = Employee”.
Fig. 2 The [Signal] start event parameters
Add the [Change access rights] process element to the diagram and specify its parameter values (Fig. 4):
1.In the [Which object to apply access rights to?] field, select “Contact”.
2.In the [Apply access rights to all records that match conditions] field, set up a filter (Fig. 3) by the Id column (“Id=Contact type updated.Unique identifier of record”):
a.Click [+ Add condition] to add a new filter condition.
b.In the pop-up window, select “Id” from the drop-down list.
c.Click <?> and select [Compare with parameter].
d.In the pop-up window, under [Process elements], select the start signal event (on the left).
e.Select the [Unique identifier of record] parameter on the right.
Fig. 3 Setting up a filter by the Id column
Note
You can learn more about passing the unique record identifier (Id) between process elements in the “How to pass parameters between process elements” article.
3.Click 
in the [Which access rights to remove?] field and select “For all users and roles”. Clear the checkbox under 
to remove permissions to edit or delete the record.
4.Click 
in the [Which access rights to add?] field and select “For a user role”.
a.In the “Role” field that appears, click 
and choose “Lookup value”.
b.Select the “HR, Managers group” organizational role in the opened window.
Fig. 4 The [Change access rights] process element parameters
After creating the process elements, connect them on the diagram and save the process.
As a result, each time a contact’s type is changed to “Employee”, all Creatio users are stripped of their permissions to edit or delete the contact, and only members of the “HR. Managers group” organizational role obtain full access to the record and can view, modify or delete it.
Note
Please make sure that access to operations with the object (in this case, “Contact”) is enabled in the [Object permissions] section in the System Designer. Learn how to set up object operation permissions in the “Object permissions” article.
See also
