Creating or modifying security labels in record definitions to define hierarchy

You can define hierarchy in an organization by using security labels. Security labels protect database tables at the row level by assigning different levels of security. Only those users with the appropriate permissions can access the row data. After you create a security label, a separate column of the security label is added to the database. For example, in a car dealership company, you create security labels like car type, sales group, or dealership, and only the users with the appropriate security classification are allowed access to the relevant data.

You can define the following relationships within the security labels:

Ancestor: A parent or top-level group within the hierarchy, with one or more subgroups associated with it. Only the ancestor security label's groups can access the record and record field data of the security label's groups.
Descendant: A child group within the hierarchy, that is attached to a parent group. Only the descendant security label's groups can access the record and record field data of the security label's groups.

The following image provides information about the steps involved in creating security labels:

You use the Records designer in BMC Helix Innovation Studio to create the security labels for a record definition. You can create security labels for regular record definitions or for join record definitions. The creation of security labels is a part of creating different types of definitions to customize your application. For more information, see Creating the definitions for a tailorable Digital Service application.

Note

Application business analysts can customize the objects developed in their own applications and that are marked customizable by the developers, but cannot customize the objects developed in com.bmc.arsys. For example, objects in core BMC applications like Foundation, Approval, and Assignment cannot be customized.

The following table describes the steps of creating a hierarchical group in BMC Helix Innovation Studio by using security labels:

Stage	Task
1	Create security labels for regular record definitions or for join record definitions.
2	Assign permissions to the security labels such that only the specified user group or role can access the record field data.
3	Configure the security label for a rule or a process.

Before you begin

Ensure that you have the following items:

A project for the Digital Service application is created, and the application is deployed to the server. After completing this task, you can view and customize the application in BMC Helix Innovation Studio. For more information, see Setting up the environment to develop a code-based application.
A unique name is used for the security label. Security labels with a duplicate name cannot be created.

To create security labels for regular record definitions

You can create a security label for a regular record definition. A regular record is a record definition that is not a combination of multiple record definitions.

Log in to the BMC Helix Innovation Studio, navigate to the Workspace tab, and select the application.
On the Records tab, navigate to the record definition for which you want to create the security labels.
Click the Settings icon ()in the Properties pane on the right side and in the Security Labels section, click Add/Remove Security labels.
The Add/Remove Security Labels dialog box appears.
In the Security Label field, enter a unique name for the security label and click Add.
To specify a security label as an ancestor or descendant, perform the following steps:
1. From the Security Labels area, click the Settings icon () beside the security label that you want to modify.
  The security label appears in the Security Labels area. You must create the security label first and then assign the label as an ancestor or descendant.
2. To specify an ancestor for the security label, select the required security label from the Ancestors Security Label list.
  Note
  
  The label is autopopulated with the ancestors of the Security Label's groups. An ancestor security label can be attached to only one descendant security label.
3. To specify a descendant for the security label, select the required security label from the Descendants Security Label list.
  Note
  
  The label is autopopulated with the ancestors of the Security Label's groups. A descendant security label can be attached to only one ancestor security label.
4. Click Update.
For example, see the following image:
Specify the rest of the properties for the record definition, such as add record fields, specify an index, export the record data, and so on. For more information, see Creating or modifying regular record definitions.
Click Save.

Notes

When you create a new record definition and add security labels, the security labels are added to the Display ID field permissions. You can change or remove the permission of the Display ID field as per your requirements.
When you inherit a record definition selecting the options Core Fields and Field permissions, the Display ID field has the same security labels as that of the base record definition. For other record definition inheritance options, the security labels in base record definition are not added in the inherited record definition Display ID field permissions.
Ancestor or descendant groups can access the record instances even after the hierarchy of security labels is removed. To restrict the access, you must remove the ancestor or descendant security labels from the Display ID permissions list of the record definition.

To create security labels for join record definitions

You can create security labels for join record definitions. A join record definition is a combination of data that is retrieved from multiple record definitions. Join record definitions are similar to database joins.

Log in to BMC Helix Innovation Studio.
Create a join record definition. For more information about how to create a join record definition, see Creating join record definitions.
Click the Settings icon () in the Properties pane on the right side and in the Security Labels section, click Add/Remove Security labels.
In the Add/Remove Security Labels dialog box, select the security labels to include in the join record definition and click Save.
The following image shows the Add/Remove Security Labels dialog box:
On the Workspace tab, navigate to the application for which you need to create the join record.
On the Records tab, click New and select Join Record.
The Create New Join Record window appears.

On the Record Definitions tab, specify the properties for the record definition.

The following table provides information about the properties:

Field

Description

Primary record

The main record for combining the data.

Secondary record

The secondary record for combining the data.

Join type

The type of join for the record definition. You can select either of the join record types:

Inner join—Selects entries only when corresponding values exist in both records.
Outer join—Includes all of the entries from the record that you select as primary records, even entries that do not have a matching entry in the secondary record.

A join record is created that contains the security labels of the multiple record definitions.

To assign permissions for security labels

To ensure that the record field data can be accessed by only those groups that are attached to the security label, you must assign appropriate permissions to a record field.

Assigning permission to security labels is similar to assigning permissions to groups. When assigning permission to a record field, the available security labels are listed alphabetical order. All security labels (ancestors and descendants) are listed at the same level.

Perform the following steps to assign permissions for security labels:

Select the record field for which you want to assign permissions.
In the Properties pane on the right side, click Edit beside the Permissions area.

In the Edit Permissions dialog box, click Add Permission and specify the properties for the record definition.

The following table provides information about the properties:

Field

Description

Type

Specify whether the permission is to be granted to a role or a group.

Group

Select the group or the role that should be able to access the record field, and then specify any one of the following access types:

View: Users can only view the record field data.
Change: Users can view and change the record field data.

The following image shows an example of how you can set the permissions for a security label:

Save the changes.

After you assign permissions for security labels, only those user groups or roles can view or change the record field data.

To configure the security labels in rules and processes

In the Rule designer and Process designer, an action (Palette > Records > Set Security Label) is available to populate the security label field. You can use this action to set the security labels.

For more information about how to set the security label in the Process designer, see Creating or modifying record instances using Record Service Tasks. For more information on how to set the security label in the Rule designer, see Adding rules to validate data or trigger events in a process.

To modify the existing security labels

You can modify an existing security label to enforce the appropriate permissions, for example, if there is any change in the organization structure.

Log in to BMC Helix Innovation Studio and navigate to the Workspace tab.
Select the application for which you want to modify the security label.
Navigate to Records and select the record definition that you want to update.
Click the Settings icon () in the Properties pane on the right side and in the Security Labels section, click Add/Remove Security labels.
In the Security Label field, enter a unique name for the security label and click Add.
To specify a security label as an ancestor or descendant, perform the following steps:
1. From the Security Labels area, click the Settings icon () beside the security label that you want to modify.
  The security label appears in the Security Labels area.
2. To specify an ancestor for the security label, select the required security label from the Ancestors Security Label list.
  Note:
  
  The label is autopopulated with the ancestors of the Security Label's groups. An ancestor security label can be attached to only one descendant security label.
3. To specify a descendant for the security label, select the required security label from the Descendants Security Label list.
  Note:
  
  The label is autopopulated with the descendants of the Security Label's groups. A descendant security label can be attached to only one descendant security label.
4. Click Update.
For example, see the following image:
Save the record definition.

After you add the labels, you can use the labels in the Rule designer and Process designer.