Skip to main content

Overview

Data Access provides comprehensive control over who can view and edit records (data) within your Elementum applications through two complementary systems:

Policy-Based Access

Create dynamic access policies that determine which records users can see based on user roles, record criteria, and contextual conditions. Policies apply broad filtering rules across all records.

Access Sharing

Grant specific users or groups access to individual records through auto-sharing triggers or manual shares. Sharing provides granular, record-level access control.
Applies To Records In:
  • Apps: Control which records users can see within applications
  • Elements: Manage visibility of specific records in data elements
  • Tasks: Restrict which task records users can access
  • Tables: Filter which table records are visible to different users

How Data Access Works

Dynamic Access Control

Data Access uses policy-based filtering to show users only the data they should see, when they should see it.Key Concept: Instead of static permissions, Data Access creates dynamic filters that evaluate in real-time based on current user context and record data.

Access Policy Structure

Each access policy consists of:
1

Users and Groups

Define which users or groups the policy applies to
2

Access Conditions

Set criteria that records must meet for the specified users to access them
3

Filter Logic

Combine multiple conditions using operators and logical groupings

Creating Access Policies

Basic Policy Setup

1

Navigate to Data Access

  1. Go to your App Settings
  2. Navigate to SecurityData Access
  3. Click ”+ Policy” to create a new access policy
2

Select Users and Groups

  1. Choose Users and Groups that this policy applies to
  2. Use the dropdown to select specific users or user groups
  3. Multiple users and groups can be added to a single policy
Users can be part of multiple policies. The system will combine access from all applicable policies.
3

Configure Access Conditions

Define when users should have access to records:
  1. Click “Give access when” to start building conditions
  2. Select the field to filter on
  3. Choose the comparison operator
  4. Set the value or condition

Filter Operators

Data Access supports filtering on all data types in Elementum with appropriate operators for each type:

Text Fields

Examples: contains..., starts with..., is..., is not...

Numeric Fields

Examples: equals, greater than, less than, between

Date Fields

Examples: is after, is before, is between, is in the last X days

State Fields

Examples: is empty, is not empty, is true, is false
The available operators automatically adjust based on the field type you select, ensuring you only see relevant filtering options.

Current User Variable

Special Variable: Current User

The most powerful feature of Data Access is the ability to filter based on the current user viewing the data.Use Cases:
  • Show users only records assigned to them
  • Display data where they are mentioned or involved
  • Filter based on user attributes or group membership

Current User Examples

Scenario: Users only see records assigned to themFilter Setup:
  • Field: Assigned User
  • Operator: is...
  • Value: Current User
This ensures users only see records where they are the assigned user.

Advanced Filtering

Multiple Conditions

1

Add Conditions

  1. Click ”+ Condition” to add additional filter criteria
  2. Each condition creates an AND relationship by default
  3. All conditions must be true for access to be granted
2

Condition Groups

  1. Click ”+ Condition Group” to create OR logic
  2. Condition groups allow for complex boolean logic
  3. Use groups to create “this OR that” scenarios
3

Clear All

Use “Clear All” to remove all conditions and start over

Complex Access Scenarios

Scenario: Sales reps see leads in their territory that are activeFilter Setup:
  • Condition 1: Territory is... Current User's Territory
  • AND
  • Condition 2: Status is... Active
Both conditions must be true for access.
Scenario: Managers see all records, regular users see only their ownPolicy 1 (Managers):
  • Users: Manager Group
  • Conditions: (No conditions - access to all records)
Policy 2 (Regular Users):
  • Users: Staff Group
  • Conditions: Assigned User is... Current User
Scenario: Users see records created in the last 30 days that involve themFilter Setup:
  • Condition Group 1:
    • Created By is... Current User
    • OR
    • Assigned User is... Current User
  • AND
  • Condition 2: Created Date is after... 30 days ago

Managing Access Policies

Viewing Existing Policies

In the Data Access section, you can:

Policy Overview

View all active policies and their assigned users/groups

Edit Policies

Modify existing policies by clicking the edit icon

Delete Policies

Remove policies that are no longer needed

Policy Testing

Test policies to ensure they work as expected

Default Policies

Default (All Records): Every app starts with a default policy that gives Internal Users access to all records. You can modify or delete this policy as needed.

Access Sharing

Access Sharing provides record-level access control, allowing you to grant specific users or groups access to individual records. Unlike policy-based access which applies filtering rules broadly across all records, Access Sharing gives you precise control over who can access each specific record.

How Access Sharing Works

Record-Level Access Grants

Access Sharing operates at the individual record level, granting access through two mechanisms:Auto-Sharing: Automatically grants access when users interact with records (becoming watchers, approvers, assignees, or being mentioned)Manual Sharing: Explicitly grant or revoke access to specific users or groups for individual records
Key Difference: Policy-based access determines “Can this user see records that match these criteria?” while Access Sharing determines “Can this specific user see this specific record?”Both systems work together - a user may gain access through policies, sharing, or both.

Auto-Sharing Triggers

Auto-sharing automatically grants record access to users based on their interactions with the record. As an App Admin, you can enable or disable specific trigger types to control when automatic sharing occurs.

Trigger Types

When a user is added as a watcher to a record, they automatically gain access to that record. Watchers typically receive notifications about record changes and updates.Use Case: Enable for support teams who need access to cases they’re monitoring.
When a user is added to an approval workflow for a record, they automatically gain access to review and approve that record.Use Case: Enable for approval processes where approvers need to view record details.
When a user is @mentioned in a comment or description on a record, they automatically gain access to view the context of the mention.Use Case: Enable for collaborative environments where team members reference each other.
When a user is assigned to a record as an individual assignee, they automatically gain access to work on that record.Use Case: Enable for task management where assignees need full record access.
When a group is assigned to a record, all members of that group automatically gain access to the record.Use Case: Enable for team-based work where entire groups collaborate on records.
Group assignee auto-sharing can grant broad access as all group members receive access. Use cautiously and audit regularly.

Configuring Auto-Sharing Triggers

1

Navigate to Auto-Sharing Settings

  1. Go to your App Settings
  2. Navigate to SecurityData Access
  3. Locate the Auto-Sharing Configuration section
2

Enable or Disable Triggers

  1. Review the five toggle switches for each trigger type:
    • Watchers
    • Approvals
    • Mentions
    • Individual Assignees
    • Group Assignees
  2. Toggle each switch to enable (on) or disable (off) that trigger type
  3. Each trigger can be controlled independently
3

Save and Apply

  1. Changes are saved immediately upon toggling
  2. Settings apply to all new actions in the app going forward
  3. Changes are reflected in the main aspect activity log
  4. Existing shares remain unchanged
Auto-sharing only grants access when a trigger is enabled. If you disable a trigger, new actions of that type will not grant access automatically, but existing shares from past actions remain until manually removed.

Access Audit Page

The Access Audit Page provides visibility into all users and groups who have access to records in your app, whether through auto-sharing triggers, manual shares, or policy-based access.

Accessing the Audit Page

1

Navigate to Security

  1. Go to your App Settings
  2. Navigate to SecurityData Access
2

Open Audit Page

  1. Select the Audit Page option
  2. The audit page displays a comprehensive list of all users and groups with record access

Understanding the Audit Page

User and Group List

View all users and groups who have access to any records in the app through auto-share triggers or manual shares

Record Count

View the number of records each user or group has access to
The Audit Page shows access grants specifically from Access Sharing. Users may have additional access through policy-based Data Access policies.

Managing User and Group Access

From the Audit Page, you can view detailed access information for specific users or groups and remove access when needed.

Viewing User Access Details

1

Select User or Group

  1. From the Audit Page, click on a user or group in the table
  2. A modal window appears displaying detailed access information
2

Review Record Access

The modal displays:
  • List of all records the user/group has access to
  • Record name and handle for identification
  • Access source (which trigger granted access or if manually shared)
  • Search functionality to filter records by name or handle
3

Search Records

  1. Use the search field to filter records by name or handle
  2. Quickly locate specific records to review or remove access

Removing Access

1

Open User Access Modal

  1. From the Audit Page, click on a user or group
  2. The access details modal appears
2

Locate the Record

  1. Find the specific record you want to revoke access to
  2. Use the search functionality if needed to filter the list
3

Remove Access

  1. Click the remove or revoke access button next to the record
  2. Confirm the removal when prompted
  3. Access is immediately revoked
4

Verify Removal

The user or group will no longer appear in the audit page for that record, and they will lose the ability to view the record (unless they have access through other means like policies)
Important: Removing access affects the user’s ability to view and interact with the record immediately. Ensure the user no longer requires access before removing it.
If a user regains access through an enabled auto-sharing trigger (e.g., being reassigned to the record), they will receive access again automatically.

Security Best Practices

Policy Design

Important: Always test your access policies thoroughly before deploying to production to ensure users can access the data they need.
1

Principle of Least Privilege

Start with restrictive policies and add access as needed rather than starting permissive
2

Regular Audits

Periodically review access policies to ensure they still align with business needs
3

Document Policies

Keep documentation of why specific access policies were created and their intended purpose
4

Test User Experience

Test policies from different user perspectives to ensure the experience is intuitive

Common Pitfalls

Problem: Users can’t access data they need for their jobSolution:
  • Use condition groups to create multiple access paths
  • Consider user workflows when designing policies
  • Test with actual user scenarios
Problem: Multiple policies create unexpected access patternsSolution:
  • Document policy interactions
  • Use clear naming conventions for policies
  • Regular policy reviews and cleanup
Problem: Complex policies slow down data loadingSolution:
  • Keep conditions simple when possible
  • Index fields used in access policies
  • Monitor system performance after policy changes

Troubleshooting

Users Can’t See Expected Data

1

Check Policy Assignment

Verify the user is included in the correct policy groups
2

Review Conditions

Ensure filter conditions match the actual data values
3

Test Current User Variables

Verify that user attributes match the expected values
4

Check Multiple Policies

Review all policies that might apply to the user

Policy Not Working as Expected

Check: Verify AND/OR logic between conditions Solution: Use condition groups to create proper boolean logic
Check: Ensure filter values match field data types Solution: Verify text fields use text operators, dates use date operators, etc.
Check: Verify user has the required attributes set Solution: Update user profiles with necessary field values

Integration with Other Features

Workflow Automation

Data Access policies and Access Sharing work seamlessly with:
  • Assignment Rules: Automatically assign records based on access policies; when individual or group assignee auto-sharing is enabled, assignees automatically gain record access
  • Notifications: Send notifications only to users who have access to the data through policies or sharing
  • Automations: Trigger workflows based on access policy changes or sharing events

Reporting and Analytics

  • Filtered Reports: Reports automatically respect data access policies and shared access
  • Dashboard Views: Dashboards show only data the user can access through policies or sharing
  • Export Controls: Data exports are filtered by access policies and respect shared access
  • Audit Reports: Access Audit Page provides reporting on all shared access across the app
By implementing both policy-based Data Access and Access Sharing, you can ensure comprehensive access control - using policies for broad, rule-based filtering and sharing for specific, record-level access grants. Together, these systems maintain security and compliance requirements across your Elementum applications.