Enabling row-level security by defining security labels

Security labels are used to enable the row-level security. Security labels define a series of groups that can access record instances by using a rule or a process. They add view and edit restrictions to record instances and fields. You can create security labels by using the Record designer.

When you create a security label in a record definition, a separate column of the security label is added to the database. You can use the security label as a group while assigning permissions to a field or set the security labels through processes and rules.

Important

Application business analysts can customize the objects developed in their own applications and that are marked customizable by the administrator, but cannot customize the objects developed in com.bmc.arsys in Best Practice Customization mode. For example, objects in core BMC applications like Foundation, Approval, and Assignment cannot be customized in Best Practice Customization mode. For more information, see Customization-layer.

Related topic

Creating-hierarchical-groups-through-security-label


To create a security label

  1. Log in to the BMC Helix Innovation Studio, navigate to the Workspace tab, and select the application.
  2. On the Records tab, navigate to the record definition for which you want to create the security labels.
  3. Click the Edit Edit icon.png icon in the Properties pane on the right side, and in the Security Labels section, click Add/Remove Security labels.

  4. In the Add/Remove Security Labels window, enter the values for the following fields:

    Field

    Description

    Security Label

    Enter the name of the security label.

    Ancestors Security Label

    Select the security label you want to assign as the parent security label. This creates a hierarchy of security labels that is used for permissions inheritance.

    A parent label can only have one child label. For more information, see Parent security label.

    Descendants Security Label

    Select the security label you want to assign as a child security label. This creates a hierarchy of security labels that is used for permissions inheritance.

    A child label can only have one parent label.

    External Field

    The external record ID field is applicable only for the external record definitions.

    Enter the external record field name. 

    Selecting the value for this field automatically populates the External Field ID field. The external fields in the External Record Definition are not available for selection as security label fields.

    External Field ID

    The external record ID field is applicable only for the external record definitions.

    Maps the External Field ID to the Security Label and stores the security label data in the external data source. Selecting the value for this field will automatically populate the External Field field.

    Important: The external fields in the External Record Definition are not available for selection as security label fields. While designing an external record definition, if you want to enable security label, the field which stores the security label must be added on the external record definition.

    To add more security labels, repeat this step.
    22_1_record_add_security_labels.png

  5. Save the changes and save the record definition.

After you add the labels, you can use the labels in the Rule designer and Process designer.

Important

  • When you create a new record definition and add security labels, the security labels are added to the Display ID field permissions. You can change or remove the permission of the Display ID field as per your requirements.
  • Make sure you do not delete the security labels of a customizable record definition.
  • When you inherit a record definition by selecting the options Core Fields and Field permissions, the Display ID field has the same security labels as that of the base record definition. For other record definition inheritance options, the security labels in base record definition are not added in the inherited record definition Display ID field permissions.

Parent security labels and permission inheritance

The parent security label allows permissions inheritance. A parent security label can have one child security label, and each child security label can only have one parent security label. A child security label can also have a child security label of its own, forming a multilevel hierarchy. In a multilevel hierarchy, assigning permission to a child security label grants access to all ancestor security labels, such as the parent security label of a parent security label.

For example, in the following image, the security label named Parts Supplier is a parent to the Dealer, and an ancestor to Shop A1 security label:

Security label hierarchy

22_1_Security_label_hierarchy.jpg

Using security labels in setting permissions

When you assign the permissions to a field in a record definition, the security labels are listed as a section of available groups. All the security labels for the record definition are listed in alphabetical order by name. The parent and child labels are listed at the same level. You can use the security labels like groups for assigning permissions.

The following image shows a sample Edit Permissions screen:

22_1_Security labels in permissions.png

Setting the security labels in rules and processes

In the Rule designer and Process designer, you can set an action to populate the security label field. 

Set the security label in Process designer

Set the security label in Rule designer

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*