Dear all,
I don't remember where but I think I have heard from a product webinar or AppianWord that you can apply security on a single row of a record. Please can someone confirm this? And if this is true, where can I configure this feature?
Thanks
Discussion posts and replies are publicly visible
Row-level security can be implemented by having a value from your App select/filter data by a correlating piece of data in your ow e.g. if you marked a row with a UserId that is the same as the User Accounts in Appian you could add a default filter to only select data where that UserId was the same as the loggedInUser(). Other data could be used but the principle would be the same - can you select a data item in Appian that correlated with a data item in the database.
Hmmm, is there a document on this or a step by step guide?
Not that I am aware of. But I think if you sat down and though about it you'd easily solve this. Security in this context means 'Authorisation' (since you've already been Authenticated). So for your specific Use Case what is it that means some Users can see some rows and others cannot?
What "security" for a single row of a record are you thinking of? Could you describe your general use case a bit more?
There is an employees record and we're looking to filter out a number of rows from being viewed by most users. For example, only director level employees can see rows of data for other director level employees. Everyone else can see every other row.
In that case i think your best bet is to create an expressionized default filter where the current user's permissions are taken into account when deciding which filter(s) to apply.
Yes,
This does the trick.
In the past I thought the approach described in these comments, as well as in the playbook https://community.appian.com/w/the-appian-playbook/207/record-level-security-for-entity-backed-records#ExampleApp1 use to limit not only users from seeing the record instance on the record grid, but would also throw an error if they navigated to the record instance via url. I just tried this in 21.1 and it allowed me to view the record instance. Did something change?
Is there another approach that could be taken that would truly limit visibility to a record instance via an expression, and not just filter what is in the record grid list. If the user has a bookmark of the record link, or if the system has a record link outside of the record grid, then they can still hit the record.
The playbook article should provide a solution that limits users access, even if they navigate via URL. Did you see a change in behavior from a version prior to 21.1 after you upgraded to 21.1? Also can you provide more context on how you configured your record-level security?
I'm not able to reproduce that behavior of being able to access a record that is not visible via default filters. In my 21.1 instance, I still see the earlier behavior of an error when a record is not accessible via default filters (and it does not appear in the grid), which is what I would expect.
1) Accessed a record summary for process #1, saved the link
2) Updated default filters to exclude process #1
3) Refreshed the record, #1 disappeared as expected
4) Pasted the saved link into a new browser tab, received the error below as expected