This article and video provide an explanation of how to combine multiple data access rules and multiple data access roles.
Note: if you need a more basic overview of One Model Role-based permissions, check out Introduction to role based security.
Assuming you’re feeling good about the basics, let’s proceed with some combination rules. First up we have a 10(ish) minute walkthrough video. Below that I’ve provided the “cliff notes” summary.
Here’s the admin view of the data set we’ll be adding some security restrictions to:
What happens if you add multiple rules to a particular data access role, like so:
Answer 1: A user who only has that data access role will only see results for employees who are both in Finance AND are Full-Time. Like so:
What happens if you put a user in two data access roles?
Above we showed a screenshot of a role called “Security Test – AND” what if we also
put them in a role with this rule:
Note the multiple selections on the Org Unit. This role grants access to Engineering and Operations, without the additional limit on the employees being Full-Time.
Answer 2: They get the Union of those two permission sets. In other words, they get access to just Full-Time Finance employees from the first role and they also get access to all employees from Engineering and Operations. I called this one an “OR” because you get access to data that is granted by the first role OR data that is granted by the second role. Like so:
What if a user has access to detail columns in one of the roles but not in the other?
In this example, they do not have detail access in the Finance role and they can drill in and see first name and tenure date for the Engineering and Operations role.
Answer 3: In that scenario when they drill into, say, the 65 Part-Time employees in Engineering, they can see first name and tenure data in the detail. And when they drill into the 338 Full-Time employees from Finance, they cannot see any detail data.
In fact, here’s an interesting drill down screenshot covering the scenario where a user drills into a group of employees and they are authorized to view details of some but not others. You can see that one line item just shows the 338 finance employees un-broken-out and the rest show the detail that I’m authorized to see for the Engineering and Operations folks.