Creating or modifying security labels in record definitions to define hierarchy

You can define a hierarchy in an organization by using security labels. Security labels protect database tables at the row level by assigning different levels of security. Only the users with the appropriate permissions can access the row data. After you create a security label, a separate column of the security label is added to the database. For example, in a car dealership company, you create security labels like car type, sales group, or dealership, and only the users with the appropriate security classification can access the relevant data. 

Related topics

Enabling-row-level-security-by-defining-security-labels

Creating-the-definitions-for-a-tailorable-application

You can define the following relationships within the security labels:

  • Ancestor: A parent or top-level group within the hierarchy, with one or more subgroups associated with it. Only the ancestor security label's groups can access the record and record field data of the security label's groups. 
  • Descendant: A child group within the hierarchy that is attached to a parent group. Only the descendant security label's groups can access the record and record field data of the security label's groups. 

The following image provides information about the steps involved in creating security labels:

22_1-Security_label_infographic.jpg

Use the Records designer in BMC Helix Innovation Studio to create the security labels for a record definition. You can create security labels for regular record definitions or join record definitions. Creating security labels is a part of creating different types of definitions to customize your application. For more information, see Creating-the-definitions-for-a-tailorable-application.

Important

Application business analysts can customize the objects developed in their applications and that are marked customizable by the administrator, but cannot customize the objects developed in com.bmc.arsys in Best Practice Customization mode. For example, objects in core BMC applications like Foundation, Approval, and Assignment cannot be customized in Best Practice Customization mode. For more information, see Customization-layer.

The following table describes the steps of creating a hierarchical group in BMC Helix Innovation Studio by using security labels: 

Stage

Task

Reference

1

Create security labels for regular records or join record definitions.

2

Assign permissions to the security labels such that only the specified user group or role can access the record field data.

3

Configure the security label for a rule or a process.

Before you begin

Make sure you complete the following steps:

  • Create and deploy a project for the Digital Service application to BMC Helix Innovation Studio. After completing this task, you can view and customize the application in BMC Helix Innovation Studio. For more information, see Setting-up-the-environment-to-develop-a-code-based-application.
  • Use a unique name for the security label. You cannot create security labels with a duplicate name. 

To create security labels for regular record definitions

You can create a security label for a regular record definition. A regular record is a record definition that is not a combination of multiple record definitions. 

  1. Log in to the BMC Helix Innovation Studio, navigate to the Workspace tab, and select the application.
  2. On the Records tab, select the record definition for which you want to create the security labels.
  3. Click the Edit Edit icon.pngin the Properties pane on the right side and in the Security Labels section, click Add/Remove Security labels.The Add/Remove Security Labels dialog box appears.
    22_1_Add_remove_security_label.png
  4. In the Security Label field, enter a unique name for the security label, and click Add.

  5. To specify a security label as an ancestor or descendant, perform the following steps:

    1. From the Security Labels area, click the Edit Edit icon.png beside the security label that you want to modify.The security label appears in the Security Labels area. You must create the security label first and then assign the label as an ancestor or descendant.

    2. To specify an ancestor for the security label from the Ancestors Security Label list, select the required security label.

      Important

      The label is auto-populated with the ancestors of the Security Label's groups. Therefore, an ancestor security label can be attached to only one descendant security label.

    3. To specify a descendant for the security label from the Descendants Security Label list, select the required security label.

      Important

      The label is auto-populated with the ancestors of the Security Label's groups. Therefore, a descendant security label can be attached to only one ancestor security label.

    4. Click Update.


  6. Specify the rest of the properties for the record definition, such as adding record fields, specifying an index, exporting the record data, and so on. For more information, see Creating-or-modifying-regular-record-definitions
  7. Click Save.

Important

  • When you create a new record definition and add security labels, the security labels are added to the Display ID field permissions. You can change or remove the permission of the Display ID field according to your requirements.
  • When you inherit a record definition by selecting the options Core Fields and Field permissions, the Display ID field has the same security labels as that of the base record definition. For other record definition inheritance options, the security labels in the base record definition are not added to the inherited record definition Display ID field permissions.
  • Ancestor or descendant groups can access the record instances even after removing the hierarchy of security labels. To restrict access, you must remove the ancestor or descendant security labels from the Display ID permissions list of the record definition.

To create security labels for join record definitions

You can create security labels for join record definitions. A join record definition is a combination of data that is retrieved from multiple record definitions. Join record definitions are similar to database joins.

  1. Log in to the BMC Helix Innovation Studio, navigate to the Workspace tab, and select the application.
  2. On the Records tab, select the record definition for which you want to create the security labels.
  3. Create a join record definition. For more information about how to create a join record definition, see Creating-join-record-definitions.
  4. Click the Edit Edit icon.pngin the Properties pane on the right side and in the Security Labels section, click Add/Remove Security labels.

  5. In the Add/Remove Security Labels dialog box, select the security labels to include in the join record definition, and click Save.
    The following image shows the Add/Remove Security Labels dialog box:

    22_1_Create_security_label_join_record_definition.PNG

  6. On the Workspace tab, navigate to the application for which you need to create the join record.
  7. On the Records tab, click New and select Join Record.
    The Create New Join Record window appears.

  8. On the Record Definitions tab, specify the properties for the record definition.

    The following table provides information about the properties:

    Field

    Description

    Primary record

    The main record for combining the data.

    Secondary record

    The secondary record for combining the data.

    Join type

    The type of join for the record definition. You can select either of the join record types:

    • Inner join—Selects entries only when corresponding values exist in both records.
    • Outer join—Includes all of the entries from the record that you select as primary records, even entries that do not have a matching entry in the secondary record.

    A join record contains the security labels of the multiple record definitions.

To assign permissions for security labels

You must assign appropriate permissions to a record field to make sure that only those groups that are attached to the security label can access the record field data.

Assigning permission to security labels is similar to assigning permissions to groups. When assigning permission to a record field, the available security labels are listed in alphabetical order. All security labels (ancestors and descendants) are listed at the same level. 

Perform the following steps to assign permissions for security labels:

  1. Select the record field for which you want to assign permissions.
  2. In the Properties pane on the right side, click Edit beside the Permissions area.

  3. In the Edit Permissions dialog box, click Add Permission and specify the properties for the record definition.The following table provides information about the properties:

    Field

    Description

    Type

    Specify whether the permission is to be granted to a role, group, or security label.

    Group

    Select the group or the role that should be able to access the record field, and then specify any one of the following access types:

    • View: Users can only view the record field data.
    • Change: Users can view and change the record field data.

    The following image shows an example of how you can set the permissions for a security label:

    22_1_Edit_permission_roles_groups.png

  4. Save the changes.

The users that have the permissions based on the set criteria can view or change the record field data.

To configure the security labels in rules and processes

In the Rule designer and Process designer, an action (Palette > Records > Set Security Label) is available to populate the security label field. You can use this action to set the security labels.  

For more information about how to set the security label in the Process designer, see Creating-or-modifying-record-instances-using-Record-Service-Tasks. For more information about how to set the security label in the Rule designer, see Adding-rules-to-validate-data-or-trigger-events-in-a-process  

To modify the existing security labels

You can modify an existing security label to enforce the appropriate permissions; for example, if there is any change in the organization structure.

  1. Log in to BMC Helix Innovation Studio and navigate to the Workspace tab.
  2. Select the application for which you want to modify the security label.
  3. Navigate to Records and select the record definition that you want to update.
  4. In the Properties pane on the right side, click the Edit Edit icon.png, and in the Security Labels section, click Add/Remove Security labels.
    22_1_Add_remove_security_label_1.png
  5. In the Security Label field, enter a unique name for the security label and click Add.

  6. To specify a security label as an ancestor or descendant, perform the following steps:

    1. From the Security Labels area, click the Settings icon Edit icon.png beside the security label that you want to modify.The security label appears in the Security Labels area.

    2. To specify an ancestor for the security label, select the required security label from the Ancestors Security Label list. 

      Important

      The label is auto-populated with the ancestors of the Security Label's groups. Therefore, an ancestor security label can be attached to only one descendant security label.

    3. To specify a descendant for the security label, select the required security label from the Descendants Security Label list.

      Important

      The label is auto-populated with the descendants of the Security Label's groups. Therefore, a descendant security label can be attached to only one descendant security label.

    4. Click Update.


  7. Click Save.

After you add the labels, you can use the labels in the Rule designer and Process designer.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*