Security labels allow you to restrict user access to work with objects. A label is a set of attributes that are checked, and is used to delimit access rights to data within a single entity/lookup entity. A list of permitted attribute values is specified for the user role to whose label is assigned. The user can only work with entity/lookup entity records whose attribute value matches the allowed ones. The logic of data access restrictions:
If several attributes are involved in the label, the user sees the records where the value of the specified attributes matches the allowed values configured for the user (i.e. a logical “AND” works within the label).
If several instances of the same label are configured for the user, the user sees the records that completely satisfy one of the label instances (i.e. a logical “OR” works between the labels).
If several different labels are configured for the user, then the user sees records that satisfy all labels (i.e. a logical “AND” works within between labels). In this case, rules 1 and 2 apply inside the labels.
Access restriction should be understood to mean:
Search queries return only data that satisfy the labels;
When editing or creating a record, users cannot save the record if it does not satisfy the labels applied.
Assigning Securiry Labels¶
To configure and assign security labels, the following actions must be performed: