Field permissions

Field permissions determine the types of access that groups or roles have for individual fields in a form:

  • View—Users can read the contents of the field.
  • Change—Users can read and write the contents of the field.

If neither permission is selected, members of the group or role cannot view or change the field.

Related topics

Access-control-overview

User-and-group-access

Groups and roles are defined with maximum View or Change permissions, as explained in Defining-default-permissions and in the Field permissions example. Groups or roles with maximum View permission can never be assigned Change permission for a field; groups or roles with maximum Change permission can be assigned Change, View, or no permission for a field.

If the form, active link guide, or application is configured to allow static permissions inheritance, the parent groups also inherit the permissions. For example, if you grant permission to a form that is part of a group, the same permission is granted automatically to all the parent groups in that group.

Similarly, when you map a role to a group, the role permissions for the application also apply to any ancestors of the mapped group.

Users must belong to a group or role with permission to view a form's Request ID field (core field 1), or they cannot access any information from that request. After you grant access to a group or role, to the Request ID field or to any field in the form, the user does not automatically have access to the form or to the workflow attached to the field. You must grant permissions to each object individually.

In a Set Fields operation, the active links are executed according to the permissions of the user. The field values that are set through an active link are updated only if the user has permission to change the field and the retrieved values must be accessible by the user.

For more information, see Defining-Set-Fields-actions-to-assign-values-based-on-conditions.

The following flowchart lists the questions to help you determine the access that users have to fields in AR System. 

221_Field permissions.png

Advanced data fields

Advanced data fields require you to set permissions at various levels. The advanced data field types are table fields, panel fields, and attachment pools. For example, a panel field consists of three levels, each requiring consistent permission settings: the panel holder, the panel, and the fields on the panel (so the user can see the complete panel set). See Fields-overview for more information about the following advanced fields.

Properties of table field permissions

Table field permissions are set in the same way as button field permissions, with the exception that you must set permissions at four levels. You must grant or deny a user access to the following properties in a table:

  • Table field
  • Columns in the table
  • Form from which rows are drawn
  • Fields from which each column draws its data

The following examples explain the permission hierarchy:

  • If a user does not have permission to view any columns, the field or list appears blank in the user client.
  • If a user does not have permission to access a field in the supporting form that contains column data, a blank cell appears.
  • If the user has no permission to access any of the cells in a row, the row is not displayed.

Properties of panel field permissions

Panel field permissions are set at three levels. You must grant or deny a user access to the following properties:

  • The panel holder
  • Each panel in the panel holder
  • Each field in each panel

To see an individual field (the lowest level of the permission hierarchy), the user must have permission to the upper levels of the hierarchy--that is, to the panel holder and the individual panels.

Properties of attachment pool permissions

For the attachment pool field and attachment field permissions, you must grant or deny a user access to both. To see an individual attachment field, the user must have permission to the attachment pool field. If a user does not have permission to view any attachment fields, the attachment pool appears blank in the user client.

Special submit setting

By using a special submit setting, a user can submit a new request without Change permission for data and attachment fields that require a value.

To use this feature, set the Allow Any User to Submit property to Yes for each applicable field.

If you set the Allow Any User to Submit property is to No and the field requires a you to enter a value, then a user must have a Write license and must belong to a group with Change permission for the field to submit a request. 

For more information about using this feature, see Defining-default-permissions and Assigning-permissions-for-individual-or-multiple-objects.

Field permissions example

The following example lists three groups: Browser, CS Staff, and Sales Staff. These groups have different maximum View or Change permissions, as explained in Defining-default-permissions.

John is a member of the CS Staff group and the Browser group. Although membership in the Browser group alone does not allow him to change the field, he can change it because of his group permission in the CS Staff group. When a user belongs to more than one group with different permissions to a field, the user has the highest level of permission granted by a group to which the user belongs.

Alice is a member of the Sales Staff group, which has maximum permission of Change. However, at the field level, members of the Sales Staff group can only view the contents of this field.

Rick can only view the contents of the Short Description field because he is a member of the Browser group. Because the Browser group has maximum View permissions, you can never provide Rick with a Change permission for the Short Description field through the Browser group. 

Based on the example, the following figure illustrates how permissions and field definitions work together to determine access to a field:

Specifying field access control
221_Permissions-field2.png

At the field level, each group is granted the following specific access to the Short Description data field :

  • CS Staff group—Change access
  • Sales Staff group—View access
  • Browser group—View access; Because the Browser group has a maximum access of View, the Change access is not granted at the field level.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*