Hi ,
I have a requirement where we will be having around 90 case types and I have groups for each case type (90 groups). I need to provide a record level security for each cases . For eg: if I am part of Address group I can see only address cases in the record. I am planning to use Security expression instead of security rule since there are around 90 case types. I created an array constant containing all the groups with group type and also with the text type.
I was trying to use for each loop and query filters.
local!group constant contains all the 90 groups in group type
local!groupassignee constant contains all the 90 groups in text type.
Please suggest me any approach where we can provide record level security for 90 cases.
Thank you
a!localVariables( local!group:cons!PSP_ALL_GROUPS, local!gropAssignee:cons!PSP_ALL_GROUP_TXT, if( a!forEach( items: local!gropAssignee, expression:a!queryLogicalExpression( operator: "AND", filters: a!queryFilter( field:'recordType!{d04e87fb-d9c5-48ef-a7b6-e7c4e6c81462}PSP Case.fields.{c14f8be7-fd69-4376-9fec-07b1580b8fb6}assignee', operator: "=", value:fv!item, applyWhen: a!isUserMemberOfGroup(loggedInUser(),local!group[fv!index]) ), logicalExpressions: a!queryLogicalExpression( operator: "OR", filters:{ /*a!queryFilter(*/ /*field:'recordType!{d04e87fb-d9c5-48ef-a7b6-e7c4e6c81462}PSP Case.fields.{c14f8be7-fd69-4376-9fec-07b1580b8fb6}assignee',*/ /*operator: "=",*/ /*value:fv!item,*/ /*applyWhen: a!isUserMemberOfGroup(loggedInUser(),local!group[fv!index])*/ /*),*/ a!queryFilter( field:'recordType!{d04e87fb-d9c5-48ef-a7b6-e7c4e6c81462}PSP Case.relationships.{ca74045f-3a4a-4284-86ae-a4d6d7744e45}status.fields.{d23ca31a-c9ef-4251-bd96-80178354dd3c}id', operator: "=", value:1, applyWhen: a!isUserMemberOfGroup(loggedInUser(),local!group[fv!index]) ), a!queryFilter( field:'recordType!{d04e87fb-d9c5-48ef-a7b6-e7c4e6c81462}PSP Case.relationships.{ca74045f-3a4a-4284-86ae-a4d6d7744e45}status.fields.{d23ca31a-c9ef-4251-bd96-80178354dd3c}id', operator: "=", value:2, applyWhen: a!isUserMemberOfGroup(loggedInUser(),local!group[fv!index]) ), a!queryFilter( field:'recordType!{d04e87fb-d9c5-48ef-a7b6-e7c4e6c81462}PSP Case.relationships.{ca74045f-3a4a-4284-86ae-a4d6d7744e45}status.fields.{d23ca31a-c9ef-4251-bd96-80178354dd3c}id', operator: "=", value:3, applyWhen: a!isUserMemberOfGroup(loggedInUser(),local!group[fv!index]) ) } ), ) ), true(), false() ) )
Discussion posts and replies are publicly visible
Did you consider to store the case type specific group ID to each case record and just use a simple security rule? That would be my go-to approach.
Will the group ID be the same in all environments Stefan Helzle ??
I am storing the assignee where the assignee will be a group. Previously there were only 6 case types and I provided the security based on the assignee. Now there are around 90 case types. I am trying to avoid providing the security for each cases individually since it is a long process. With the group Id I am not sure how to achieve this.
Is there a possibility to create a table for the groups which contains Appian group Ids and have these Ids mapped in the Case Types? This would make things much easier and less complicated. But when moving it to the Higher environment you will have to update the Group Ids in the Group table via running a script.
Why is that important? You will not copy any data from DEV to TEST to PROD. And if you do, then let's talk about why you do that.
Wouldn't it be simpler to simply have a map that ties a group to a case type?
You can then create a Service Backed Record Type based on this map and then create a Relationship with the Case Record to retrieve the group for the Case Type and provide it in your rule.
I thought we would use group Ids as a lookup table to relate to particular case types
In my mind, case type and access group id are two completely different things, must be stored in separate fields and not be used for any other purpose.
Hello Mathieu Drouin .To construct map we need to create 90 group constants which we want to avoid. Please suggest the ideal way to validate the logged in user belongs to that group to filter out the records .
- Expose an API exposes group IDs and associated UUIDs (use the getgroupuuid in People Functions plugin)
- Create a Service Backed Record type called Group based on that API
- Create a Database backed Record Type (Case_Type_Group) that maps a Case Type to a Group UUID (this would replace the case type / group map)
- Create a relationship between Case Type and the Case_Type_Group and another relationship between Case_Type_Group and Group