A custom field can be of type "security group". This custom field will display the security groups that are applied to the record currently being viewed. It has a special feature where it can be restricted to displaying only those security groups that are nominated of a particular type.
Recommended use for this custom field
You may want the security of a record to be driven by some selectable value in their organization.
For example, organizations with Departments may require that Contract records can be only visible to the Departments that have been assigned.
The Contract below has Department field values of HR and Legal. To restrict access to this Contract record to these Departments, you must also have HR and Legal Security Group records and manually select them in the main Security Group field.
In this example we have pulled out the main Security Group field into the form, if you do not have this field on your form then it can be accessed via the padlock icon on the top right of the record.
Fig 1 - Example 1
If we then update the Department field, removing HR and adding Finance, we must also manually update the main Security Group field to reflect this change. If we do not update the main Security Group field then HR will still see the contract and Finance will not.
Fig 2 - Example 2
The new custom Security Group Type field will be directly linked to the main Security Group field. If we make a change to the Security Group Type field, the system will then automatically update the main Security Group field values to reflect the change and vise versa.
You can create as many of these custom Security Group Type field as you require, if you have created several fields then the values displayed in them will be reflected in the main Security Group field.
So you could have a one new field named 'Department' with values of 'HR | Legal' and another new field named 'Location' with values of 'London | Scotland'.
The main Security Group field will then display the Security Groups of : 'HR | Legal | London | Scotland' and all Users assigned to those Security Groups will have access to the record.
- If you remove 'Legal' from the main Security Group field, then it will be removed from the 'Department' field
- If you remove 'Scotland' from the 'Location' field, it will be removed from the main Security Group field
Changing one field will always update the other as they are linked.
Creation of a Security Group Type field
In the following example the Department field is an existing field to be replaced with the new custom Security Group Type field. This is a common requirement, but the field can be given any label as per your organisations needs.
It does not need to replace any existing field, but you may wish to replace a field you are already using if you have an established account to make your Security Group maintenance easier to manage.
In this example we are also going to create a secondary field 'Location' and also use this field to allow Security Group access.
1. Create Security Type values in the value set screen
A new value set of 'Security Group Type' has been created in the Value Set screen in Configuration, here you can enter all the Security Group Types you require. One value for each field you are making.
Fig 3 - Security Group Type value set
2. Link a Security Type value to a Security Group
Security Groups can now be allocated a 'Type.
- You must create new or update existing Security Group records with one of these Security Group Type values.
- You should not create a new Security Group of the same name.
- This allocation secures a link between the main Security Group field and this new field.
In the Security Group record, the Type field drop down list will display all the values you have entered in the 'Security Group Type' value set above.
Fig 4 - Security Group Type
Assign the 'Type' to all the relevant Security Groups.
Fig 5 - Security Type Allocation
Note: A Security Group can only be assigned to one Security Group Type
3. Create a new Custom field for each Security Group Type
Fig 6 - Data Type Parameters
Enter the Name and Label fields
Select the Entity where you want this field to appear using the drop down list
Select the Data Type of 'Security Group' - the right side of the screen will update:
Data Type Parameters
- Type - Select the value you wish this field to refer to - the values displayed here will match those you have entered in the 'Security Group' Value set above.
- Set the Controls for the field - you may or may not decide to have the [ro] or [rw] tags displayed against each value in field, choose the relevant option for your organisation, please note:
- By default the option is to hide the Control values
- The default will be [rw] Read Write
- If set to 'Hide' you will not be able to see/adjust these values in the new Custom Security Type field but you will in the Security Group field.
- If you decide to show the Control values, any User with [rw] access to the record will be able to adjust the controls
Create a custom field for all the Security Group Types stipulated in the Value set.
Fig 7 - New Security Groups Type fields
4. Place the new Security Group Type fields on the form
Drag and drop your new fields onto the relevant layouts via the Form Layouts screen. If you have differing layouts based upon Type then you may have to update individual layouts one at a time.
Remove any existing field that they may be replacing - in this case we are removing the existing 'Department' field and replacing it with the 'Department (New)' field, [please note the data migration steps below before removing this field] and adding the new 'Location' field.
Fig 8 - Form Layouts
Migrating Existing Data
If you are creating this field to replace an existing field - the existing field may already contain values, that data must be migrated over to the new field. This is easiest to do in 3 steps:
- Place the new Security Group Type field on all required Layouts.
- Use the Import feature to mass update the new Security Group Type field with the old field values. Please refer to this article on how to modify data using import
- Once migration is complete the old field can be removed from the Form
Note: We recommend that the new Security Group Type fields be made mandatory as these will drive the Security access. If you do not make them mandatory and no values are given in these fields then the default Security Group of 'Everyone' or existing Security Group Automation rules will only apply.
Using the Security Group Type fields
Now the fields are on the form, when you start to enter values in your new fields the main Security Group field will update to reflect the values selected..
In the below example we would like 'Facilities' and 'Finance' Departments to have full access but the Location of 'North West - Leeds' to only have (ro) access. Select the values in the relevant fields and adjust the Access Control as required.
Fig 9 - Using the Security Group Type fields
If you adjust any of the values in either of the 3 fields then the fields will update accordingly
The values contained in the the main Security Group field are the values that are allowed access to the record. So as you add/remove values in the fields access to the record will be given/removed.
Fig 10 - Adjusting field values
Independent Security group values
You may have independent Security Group values that are not linked to a 'Type' these Security Groups can still be selected in the main Security Group field and allow access to the record, but as it is not linked to a Security Group Type it will not be reflected in any of the new Security Group Type fields that you have.
System Security Group values
There are values in the main Security Group drop down which are system independent values and cannot be allocated to a Security Group Type, these are:
- Everyone
- No-One
- Contract Assigned Users
- All individual User Security Groups
These values can still be selected in the main Security Group field and will allow access to the record.
Security Automation
This new type of field can be used as a new Automation Action to allocate Security Groups when a record is first created or edited.
Fig 11 - Security Grout Type Automation Action
If you wish to use these new Security Group Type fields to allocate Security Groups and you have existing Automation Rules set up to allocate Security Groups then we recommend that you review your current Automation rules as some of them may no longer be required or may need to be adjusted.
For further information on how to create a Security Group Type Automation Action, please refer to this article.