Security Labels

Security Labels section. System administrator interface

Contents

Description

Security labels allow you to restrict user access to work with objects. A label is a set of attributes that are checked, and is used to delimit access rights to data within a single entity/lookup entity. A list of permitted attribute values is specified for the user role to whose label is assigned. The user can only work with entity/lookup entity records whose attribute value matches the allowed ones. The logic of data access restrictions:

  • If several attributes are involved in the label, the user sees the records where the value of the specified attributes matches the allowed values configured for the user (i.e. a logical “AND” works within the label).
  • If several instances of the same label are configured for the user, the user sees the records that completely satisfy one of the label instances (i.e. a logical “OR” works between the labels).
  • If several different labels are configured for the user, then the user sees records that satisfy all labels (i.e. a logical “AND” works within between labels). In this case, rules 1 and 2 apply inside the labels.

Access restriction should be understood to mean:

  • search queries return only data that satisfy the labels;
  • when editing or creating a record, users cannot save the record if it does not satisfy the labels applied.

Assigning Securiry Labels

To configure and assign security labels, the following actions must be performed: