This option enables you to manage the permissions to read, update or delete individual object records, as well as to delegate these permissions.
The distribution of access rights depends on the record’s authorship. By default, maximum access permissions are given to the following users:
-
system administrators with permissions to the “View any data”, “Add any data”, “Edit any data” and “Delete any data” system operations, which have higher priority than settings in the [Object permissions] section.
-
record author, who has full access to the record and also can delegate rights to other users. Learn more about setting up access permissions to individual records in the “Sharing records” article.
The system administrator can configure permissions that will be distributed to users when creating a new record based on the author of that record. If an object is not managed by records, all users who have access to operations in the object will have access to all of its records. All users who have access to operations in the object will have record permissions if this configuration is not performed.
Configure access permissions to records in the [Opportunities] section
Case
In the following example, we will configure access rights to the [Opportunities] section.
If the record is created by a sales manager, all employees that are part of this organizational role should have permission to view the record (with the ability to delegate these permissions), edit it, but not delete it.
If the record is created by a supervisor, the managers should have permission to view and edit the record without the ability to delegate access permissions.
The managers should have full access to these records, including the permission to delete them.
1.Go to the System Designer (
button) and open the [Object permissions] section.
2.For example, to configure access permissions to the [Opportunities] section, select the “Sections” filter and choose the “Opportunity” object. Click the name (or title) of the object to open the object permission settings window (Fig. 1).
Fig. 1 Choosing the section object and opening the permissions settings window
Note
Learn more about locating the object in the list and selecting it for access permissions configuration in the “Selecting an object to set up access permissions” article.
3.Enable the “Use operation permissions” switch (Fig. 2).
Fig. 2 Enabling the “Use operation permissions” switch
Note
If the object record permissions are enabled in the section, and the access permissions are not configured, the record will only be available to the record author, the author owner and system administrators.
4.Clicking the [Add] button opens a window in which you can specify a user (or role) who created the record, and a user (or role) who will receive permissions to work with this record. Use the search box to quickly find the necessary users and roles.
Fig. 3 An example of adding roles to configure access permission
In our case, the record owners and the users who receive permissions to work with the record are the members of the “Sales managers” and “Sales managers. Managers group” organizational roles to the “Managers” functional role.
5.By default, access permissions are not specified. Click the 
button and select “Granted” 
or “Granted with right to delegate” 
options in the column which corresponds to specific permissions (read, edit or delete) for each user to determine access levels. In our case, the following permissions are granted (Fig. 4):
Fig. 4 An example of configuring record access permissions
•To enable sales managers to view records created by their colleagues, delegate this permission to other users, as well as edit the records while being unable to delete them, select the “Granted with right to delegate” 
checkbox for the “Sales managers” role in the [Read] column, and the “Granted” 
checkbox in the [Edit] column.
•To enable sales managers to view records created by their managers, as well as edit these records with no ability to delete them, select the “Granted” 
checkbox in the [Edit] and [Read] columns for the “Sales managers” role.
•To enable their managers to view, edit and delete records in the [Opportunities] section, as well as to grant them an ability to delegate these permissions, select the “Granted with right to delegate” 
checkbox for the “Sales managers. Managers group” role in the [Read], [Edit] and [Delete] columns of the records authored by the “Sales managers” and “Sales managers. Managers group” roles.
Note
Unlike access permissions to object operations, the priority is not affected by the order in which permissions are displayed in the list.
6.Click the [Apply] button to save changes.
Attention
If access permissions are configured in a section, which already has records, you will need to update all record permissions. Otherwise, the permissions will only apply to new section records.
The process of updating record permissions may take some time. Depending on the number of section records, as well as the number of users and roles, the update process may take 3 minutes or more and affect system performance. To avoid this, we do not recommend updating record permissions during peak system load.
To apply new access permissions to existing section records, open the access permissions setup page and select “Update record permissions” in the [Actions] menu (Fig. 5).
Fig. 5 Launching the record permissions update process
As a result of the record permission update, the default permissions will be deleted and new permissions will be added. The permissions added manually by a user on the record permission page or those configured with a business process, will not be deleted during the update.
Note
One role can have several record permissions. For example, these may be the permissions added by running the “Update record permission” action and obtained by running a business process, as well as permissions added manually by a user and obtained by running a business process.
See also
