3. Managed By..
● Groups
● Access Control
● Field Access
● Record Rules
● Workflow Transaction Rules
4. Groups
● The functional roles of a user in an
Organization
○ A user can belongs to any number of groups.
○ A user has access to all permissions granted to any of
its groups
5. Access Control
● Each access control has a model
● It grants permissions
○ create
○ read
○ write(edit/update)
○ delete
● Optionally to group.
○ no group:- applies to all users
○ group:- applies to the members of that group
● Access controls are additive.
6. Field Access.
● Managed by attribute “groups” providing a list of groups
(as a comma-separated string of external identifiers).
● Applies to most all tags like
○ </field>
○ </button>
○ </groups>
○ </page>
○ …..
e.g:
7. Record Rules
● Conditions that records must satisfy for an
operation.
● It is applied record-by-record after access
control has been applied.
● Provided with Global rules and group rules.
8. Record Rules
● Components
○ A model
○ A set of permissions to which it applies.
■ e.g. if perm_read is set, the rule will only be
checked when reading a record.
○ A set of user groups.(no group means global)
○ A domain, to check a given record matches the rule.
■ matches: is accessible
■ does not matches: is not accessible
9. Record Rules
● Global Rules are subtractive.
○ Must all be matched for a record to be accessible.
● Groups Rules are additive.
○ If any of them matches (and all global rules match)
then the record is accessible
Note: This means the first group rule restricts access, but
any further group rule expands it, while global rules can
only ever restrict access (or have no effect).
11. Workflow Transaction Rules.
● Workflow transitions can be restricted to a
specific group.
● Users outside the group can not trigger the
transition.