If dynamic access control is enabled on a custom object, no users can see the object. Create rules and the define the users that can access the object based on the rule criteria.
Dynamic access control is enabled on a custom object called STUDY. In your Network instance, you have STUDY records for Canada, Mexico, and the United States. Your users have data visibility profiles for all three countries (for other business reasons), but they should only be able to access STUDY records for specific countries.
Create a rule to provide specific users access to STUDY records for Canada.
The Rule Criteria is Include Records where the primary country equals Canada. The rule is assigned to the user group (Clinical trials - Canada) and the user (Bob).
Other rules should be created to give users access to STUDY records for the other countries; otherwise, those records will not be accessible to any user.
Create a rule
Dynamic access control rules can be created in two places in the Network UI:
Dynamic Access Control summary page (Users & Permissions > Dynamic Access Control) - Create and edit rules for any enabled custom object.
This tab only displays in the Users menu if custom objects are enabled in your Network instance.
Custom object's configuration page (Data Model > Data Domain) - Create rules in the Dynamic Access Control section of the page. The rules are applied to the custom object that you're configuring.
To create a rule:
From the Dynamic Access Control page or the custom object configuration page, click Create New Rule.
- In the Details sections, add a Name and Description.
Choose the Object Type. Only custom objects that have dynamic access control are available in the list.
If you are creating the rule from the custom object's configuration page, the rule is applied to that object by default.
- Beside the Status heading, choose Active.
In the Rule Criteria section, choose to include or exclude specific records.
Click + Add Field and choose the Field, Condition, and Value criteria for the rule.
Create a rule for the STUDY__C custom object to provide access to the clinical trials for a specific country.
Only active fields for the custom object (including fields on the related sub-objects) are available in the list. If the custom object is the Owner object, relationship object fields are also available to use in the rule.
If a field is disabled after it has been used in a dynamic access control rule, the rule is skipped if no records meet the rule criteria. The rule can still apply if a record in your Network instance meets the rule criteria; Network considers the field values, not the state of the field.
In the User Groups section, click Add User Groups.
You can add custom and system managed user groups in bulk to your dynamic access control rules. Use the search field to find a specific group.
Add user groups individually - Select the checkbox beside the user group name.
Add user groups in bulk - Select the checkbox beside Group Name. This selects all of the user groups that currently display.
To create a custom user group for this specific rule, go to Users & Permissions > User Groups to create the group.
In the Users section, click Add Users. Click the Add icon to choose the users that will have access to the custom object. Only active Network users display in the list. The Add icon becomes a Green Check Mark icon for selected users. When you are finished, click Update Users.
The Users table displays the user type, security policy and data visibility profiles assigned to the user. You can click the user name link to navigate to the user's profile for more information or to make changes.
Note: If multiple rules are assigned to the same user, access to the custom object is cumulative. In these cases, access is always granted to the object; access is not restricted.
- Save your changes.
The rule is active and can now begin providing access to the object.
Considerations for rules containing No Value or null value
When you are creating rules, it is important to remember that some field values contain No Value or have a blank (null) value. These records only return when the rule criteria is one of the following:
- Exclude Records where the Condition is In, and Equals
- Include Records where the Condition is Not In, and Not Equals
Ensure that you create a rule to return these records so users can access them.
On the PATIENT custom object, a custom field called High Profile identifies the records as sensitive. Some users need access to these sensitive PATIENT records and some users need access to regular PATIENT records.
To give users access to the sensitive PATIENT records, you create a rule where the criteria is to Include Records where the High Profile field is Yes/True.
To give other users access to PATIENT records that are not considered sensitive (the High Profile field is not Yes/True), a second rule must be created. However, if you just create a rule to Include Records where the High Profile field value is No/False and Unknown, then PATIENT records where the field is blank or the value is No Value will not display; no users will have access to those records, including the record creator.
To ensure that users can see all other PATIENT records that are not flagged as sensitive, create a rule where the positive field condition is not met. In this case, the rule should Exclude Records where the High Profile field value is not Yes/True.
The users in this rule will have access to all records except those where the High Profile field value is Yes/True.