Creatio administration
This documentation is valid for Creatio version 7.16.0. We recommend using the newest version of Creatio documentation.

Managing record permissions

This option enables you to manage the permissions to read, update or delete individual object records, as well as to delegate these permissions.

The distribution of access rights depends on the record’s authorship. By default, maximum access permissions are given to the following users:

  • system administrators with permissions to the “View any data”, “Add any data”, “Edit any data” and “Delete any data” system operations, which have higher priority than settings in the [Object permissions] section.

  • record author, who has full access to the record and also can delegate rights to other users. Learn more about setting up access permissions to individual records in the “Sharing records” article.

The system administrator can configure permissions that will be distributed to users when creating a new record based on the author of that record. If an object is not managed by records, all users who have access to operations in the object will have access to all of its records. All users who have access to operations in the object will have record permissions if this configuration is not performed.

Configure access permissions to records in the [Opportunities] section

Case

In the following example, we will configure access rights to the [Opportunities] section.

If the record is created by a sales manager, all employees that are part of this organizational role should have permission to view the record (with the ability to delegate these permissions), edit it, but not delete it.

If the record is created by a supervisor, the managers should have permission to view and edit the record without the ability to delegate access permissions.

The managers should have full access to these records, including the permission to delete them.

1.Go to the System Designer (btn_system_designer00005.png button) and open the [Object permissions] section.

2.For example, to configure access permissions to the [Opportunities] section, select the “Sections” filter and choose the “Opportunity” object. Click the name (or title) of the object to open the object permission settings window (Fig. 1).

Fig. 1 Choosing the section object and opening the permissions settings window

chapter_obgect_permissions_administer_by_operations_section00006.gif 

Note

Learn more about locating the object in the list and selecting it for access permissions configuration in the “Selecting an object to set up access permissions” article.

3.Enable the “Use operation permissions” switch (Fig. 2).

Fig. 2 Enabling the “Use operation permissions” switch

chapter_objects_permissions_section_permissions_administer_by_records.png 

Note

If the object record permissions are enabled in the section, and the access permissions are not configured, the record will only be available to the record author, the author owner and system administrators.

4.Clicking the [Add] button opens a window in which you can specify a user (or role) who created the record, and a user (or role) who will receive permissions to work with this record. Use the search box to quickly find the necessary users and roles.

Fig. 3 An example of adding roles to configure access permission

gif_section_object_permissions_select_groups.gif 

In our case, the record owners and the users who receive permissions to work with the record are the members of the “Sales managers” and “Sales managers. Managers group” organizational roles to the “Managers” functional role.

5.By default, access permissions are not specified. Click the btn_access_rights_select_permission.png button and select “Granted” btn_access_rights_granted.png or “Granted with right to delegate” btn_access_rights_granted_with_delegation.png options in the column which corresponds to  specific permissions (read, edit or delete) for each user to determine access levels. In our case, the following permissions are granted (Fig. 4):

Fig. 4 An example of configuring record access permissions

section_object_permissions_access_by_records_setup.png 

To enable sales managers to view records created by their colleagues, delegate this permission to other users, as well as edit the records while being unable to delete them, select the “Granted with right to delegate” btn_access_rights_granted_with_delegation00007.png checkbox for the “Sales managers” role in the [Read] column, and the “Granted” btn_access_rights_granted00008.png checkbox in the [Edit] column.

To enable sales managers to view records created by their managers, as well as edit these records with no ability to delete them, select the “Granted” btn_access_rights_granted00009.png checkbox in the [Edit] and [Read] columns for the “Sales managers” role.

To enable their managers to view, edit and delete records in the [Opportunities] section, as well as to grant them an ability to delegate these permissions, select the “Granted with right to delegate” btn_access_rights_granted_with_delegation00010.png checkbox for the “Sales managers. Managers group” role in the [Read], [Edit] and [Delete] columns of the records authored by the “Sales managers” and “Sales managers. Managers group” roles.

Note

Unlike access permissions to object operations, the priority is not affected by the order in which permissions are displayed in the list.

6.Click the [Apply] button to save changes.

Attention

If access permissions are configured in a section, which already has records, you will need to update all record permissions. Otherwise, the permissions will only apply to new section records.

The process of updating record permissions may take some time. Depending on the number of section records, as well as the number of users and roles, the update process may take 3 minutes or more and affect system performance. To avoid this, we do not recommend updating record permissions during peak system load.

To apply new access permissions to existing section records, open the access permissions setup page and select “Update record permissions” in the [Actions] menu (Fig. 5).

Fig. 5 Launching the record permissions update process

section_object_permissions_actual_access_rights.png 

As a result of the record permission update, the default permissions will be deleted and new permissions will be added. The permissions added manually by a user on the record permission page or those configured with a business process, will not be deleted during the update.

Note

One role can have several record permissions. For example, these may be the permissions added by running the “Update record permission” action and obtained by running a business process, as well as permissions added  manually by a user and obtained by running a business process.

See also

Managing object operation permissions

Managing column permissions

Did you find this information useful?

How can we improve it?