Security
Data Access
Control who can view and edit records through dynamic access policies and filtering
Overview
Data Access provides granular control over who can view and edit records (data) within your Elementum applications. This security feature allows you to create dynamic access policies that determine which records users can see based on user roles, record criteria, and contextual conditions. Applies To Records In:- Apps: Control which records users can see within applications
- Elements: Manage visibility of specific records in data elements
- Tasks: Restrict which task records users can access
- Tables: Filter which table records are visible to different users
How Data Access Works
Dynamic Access Control
Data Access uses policy-based filtering to show users only the data they should see, when they should see it.Key Concept: Instead of static permissions, Data Access creates dynamic filters that evaluate in real-time based on current user context and record data.
Access Policy Structure
Each access policy consists of:1
Users and Groups
Define which users or groups the policy applies to
2
Access Conditions
Set criteria that records must meet for the specified users to access them
3
Filter Logic
Combine multiple conditions using operators and logical groupings
Creating Access Policies
Basic Policy Setup
1
Navigate to Data Access
- Go to your App Settings
- Navigate to Security → Data Access
- Click ”+ Policy” to create a new access policy
2
Select Users and Groups
- Choose Users and Groups that this policy applies to
- Use the dropdown to select specific users or user groups
- Multiple users and groups can be added to a single policy
Users can be part of multiple policies. The system will combine access from all applicable policies.
3
Configure Access Conditions
Define when users should have access to records:
- Click “Give access when” to start building conditions
- Select the field to filter on
- Choose the comparison operator
- Set the value or condition
Filter Operators
Data Access supports filtering on all data types in Elementum with appropriate operators for each type:Text Fields
Examples:
contains..., starts with..., is..., is not...Numeric Fields
Examples:
equals, greater than, less than, betweenDate Fields
Examples:
is after, is before, is between, is in the last X daysState Fields
Examples:
is empty, is not empty, is true, is falseThe available operators automatically adjust based on the field type you select, ensuring you only see relevant filtering options.
Current User Variable
Special Variable: Current User
The most powerful feature of Data Access is the ability to filter based on the current user viewing the data.Use Cases:
- Show users only records assigned to them
- Display data where they are mentioned or involved
- Filter based on user attributes or group membership
Current User Examples
Scenario: Users only see records assigned to themFilter Setup:
- Field:
Assigned User - Operator:
is... - Value:
Current User
Advanced Filtering
Multiple Conditions
1
Add Conditions
- Click ”+ Condition” to add additional filter criteria
- Each condition creates an AND relationship by default
- All conditions must be true for access to be granted
2
Condition Groups
- Click ”+ Condition Group” to create OR logic
- Condition groups allow for complex boolean logic
- Use groups to create “this OR that” scenarios
3
Clear All
Use “Clear All” to remove all conditions and start over
Complex Access Scenarios
Multi-Criteria Access
Multi-Criteria Access
Scenario: Sales reps see leads in their territory that are activeFilter Setup:
- Condition 1:
Territoryis...Current User's Territory - AND
- Condition 2:
Statusis...Active
Role-Based with Exceptions
Role-Based with Exceptions
Scenario: Managers see all records, regular users see only their ownPolicy 1 (Managers):
- Users: Manager Group
- Conditions: (No conditions - access to all records)
- Users: Staff Group
- Conditions:
Assigned Useris...Current User
Time-Based Access
Time-Based Access
Scenario: Users see records created in the last 30 days that involve themFilter Setup:
- Condition Group 1:
Created Byis...Current User- OR
Assigned Useris...Current User
- AND
- Condition 2:
Created Dateis after...30 days ago
Managing Access Policies
Viewing Existing Policies
In the Data Access section, you can:Policy Overview
View all active policies and their assigned users/groups
Edit Policies
Modify existing policies by clicking the edit icon
Delete Policies
Remove policies that are no longer needed
Policy Testing
Test policies to ensure they work as expected
Default Policies
Default (All Records): Every app starts with a default policy that gives Internal Users access to all records. You can modify or delete this policy as needed.
Security Best Practices
Policy Design
Important: Always test your access policies thoroughly before deploying to production to ensure users can access the data they need.
1
Principle of Least Privilege
Start with restrictive policies and add access as needed rather than starting permissive
2
Regular Audits
Periodically review access policies to ensure they still align with business needs
3
Document Policies
Keep documentation of why specific access policies were created and their intended purpose
4
Test User Experience
Test policies from different user perspectives to ensure the experience is intuitive
Common Pitfalls
Over-Restrictive Policies
Over-Restrictive Policies
Problem: Users can’t access data they need for their jobSolution:
- Use condition groups to create multiple access paths
- Consider user workflows when designing policies
- Test with actual user scenarios
Conflicting Policies
Conflicting Policies
Problem: Multiple policies create unexpected access patternsSolution:
- Document policy interactions
- Use clear naming conventions for policies
- Regular policy reviews and cleanup
Performance Impact
Performance Impact
Problem: Complex policies slow down data loadingSolution:
- Keep conditions simple when possible
- Index fields used in access policies
- Monitor system performance after policy changes
Troubleshooting
Users Can’t See Expected Data
1
Check Policy Assignment
Verify the user is included in the correct policy groups
2
Review Conditions
Ensure filter conditions match the actual data values
3
Test Current User Variables
Verify that user attributes match the expected values
4
Check Multiple Policies
Review all policies that might apply to the user
Policy Not Working as Expected
Condition Logic Issues
Condition Logic Issues
Check: Verify AND/OR logic between conditions
Solution: Use condition groups to create proper boolean logic
Data Type Mismatches
Data Type Mismatches
Check: Ensure filter values match field data types
Solution: Verify text fields use text operators, dates use date operators, etc.
User Attribute Problems
User Attribute Problems
Check: Verify user has the required attributes set
Solution: Update user profiles with necessary field values
Integration with Other Features
Workflow Automation
Data Access policies work seamlessly with:- Assignment Rules: Automatically assign records based on access policies
- Notifications: Send notifications only to users who have access to the data
- Automations: Trigger workflows based on access policy changes
Reporting and Analytics
- Filtered Reports: Reports automatically respect data access policies
- Dashboard Views: Dashboards show only data the user can access
- Export Controls: Data exports are filtered by access policies
By implementing Data Access policies, you can ensure that users see only the data they need while maintaining security and compliance requirements across your Elementum applications.