Enabling row level security by defining security labels
Security labels are used to enable the row level security. Security labels define a series of groups that can be given access to record instances using a rule or a process. They add view and edit restrictions to record instances and fields. You can create security labels using the Record designer.
When you create a security label in a record definition, a separate column of the security label is added in the database. You can use the security label as a group while assigning permissions to a field or set the security labels through processes and rules.
Application business analysts can customize the objects developed in their own applications and that are marked customizable by the administrator, but cannot customize the objects developed in com.bmc.arsys in Best Practice Customization mode. For example, objects in core BMC applications like Foundation, Approval, and Assignment cannot be customized in Best Practice Customization mode.
To create a security label
- Log in to the BMC Helix Innovation Studio, navigate to the Workspace tab, and select the application.
- On the Records tab, navigate to the record definition for which you want to create the security labels.
- Click the icon in the Properties pane on the right side and in the Security Labels section, click Add/Remove Security labels.
In the Add/Remove Security Labels window, enter the values for the following fields:
Field Description Security Label Enter the name of the security label. Ancestors Security Label
Select the security label which you want to assign as parent security label. This creates a hierarchy of security labels that is used for permissions inheritance.
Descendants Security Label
Select the security label which you want to assign as a child security label. This creates a hierarchy of security labels that is used for permissions inheritance.
External Field External record ID field is applicable only for the external record definitions. Defines the external record field name. Selecting the value for this field automatically populates the External Field ID field. External fields in the External Record Definition are not available for selection as security label fields. External Field ID
External record ID field is applicable only for the external record definitions.
Maps the External Field ID to the Security Label and stores the security label data in the external data source. Selecting the value for this field will automatically populate the External Field field.
Note: External fields in the External Record Definition are not available for selection as security label fields. While designing external record definition if you want to enable security label then those field which store the security label should be added on the external record definition.
To add more security labels, repeat this step.
- Save the changes and save the record definition.
After you add the labels, you can use the labels in the Rule designer and Process designer.
- When you create a new record definition and add security labels, the security labels are added to the Display ID field permissions. You can change or remove the permission of the Display ID field as per your requirements.
- Ensure that you do not delete the security labels of a customizable record definition.
- When you inherit a record definition selecting the options Core Fields and Field permissions, the Display ID field has the same security labels as that of the base record definition. For other record definition inheritance options, the security labels in base record definition are not added in the inherited record definition Display ID field permissions.
Parent security labels and permission inheritance
The parent security label allows permissions inheritance. A parent security label can have one child security label and each child security label can only have one parent security label. A child security label can also have child security label of its own, forming a multilevel hierarchy. In a multilevel hierarchy, assigning permission to a child security label grants access to all ancestor security labels, such as the parent security label of a parent security label.
For example, in the following image, the security label named Parts Supplier is a parent to the Dealer A, and an ancestor to Shop A1 security label.
Security label hierarchy
Using security labels in setting permissions
When you assign the permissions to a field in a record definition, the security labels are listed as a section of available groups. All the security labels for the record definition are listed in alphabetical order by name. The parent and child labels are listed at the same level. You can use the security labels like groups for assigning permissions.
The following image shows a sample Edit Permissions screen:
Setting the security labels in rules and processes
In the Rule designer and Process designer, an action is available to populate the security label field. You can use this action to set the security labels.
|Setting the security label in Process designer||Providing access to record instances by defining security labels|
|Set the security label in Rule designer||Working with rule definitions|