Completing the Security tab for Access Deny rules
Best practice: Use Access Manager to deny authorization instead of working directly with the fields in this tab. Access Manager simplifies the process and updates your Access Deny rules. Select Dev Studio > Org & Security > Access Manager. See Org and Security category - Access Manager landing page for more information.
For each of the user actions that you want to deny, you can enter a numeric value between
1 and 5, or reference an Access When rule. Access is denied when the Access Control value is
greater than or equal to the production level of this system. When an Access When rule is
used, the system evaluates the rule and denies access when the result of the Access When
rule is
True
.
If a field contains 0 or is blank, access is permitted (not denied).
Users may need the first six types of access to operate on instances. The last three types are usually needed only by application developers.
The production level of the system is visible on the System form.
Field | Description |
---|---|
Open Instances |
Optional. Enter the When Name key part of an Access When rule, or a level
value between 1 and 5.
If you enter a name, the system uses the Access Class key part of the rule to open, and class inheritance, to find the Access When rule. This determines whether holders of the access role identified as the first key part of this rule are denied the ability to open existing instances of the class identified in the second key part of this Access Deny rule. |
Modify Instances |
Optional. Enter the When Name key part of an Access When rule, or a level
value between 1 and 5.
If you enter a name, the system uses the Access Class key part of the rule to be modified, and class inheritance, to find the Access When rule. This determines whether holders of the access role identified as the first key part of this rule are denied the ability to save new or modified instances of the class identified as the second key part of this rule. |
Delete Instances |
Optional. Enter the When Name key part of an Access When rule, or a level
value between 1 and 5.
If you enter a name, the system uses the Access Class key part of the page passed in to the Delete method. This is usually, but not necessarily, the entire page. It is possible to pass to the Delete method a page containing only the keys of the instance to be deleted. This determines whether holders of the access role identified as the first key part of this rule are denied the ability to delete instances of the class identified as the second key part of this rule. |
Run Reports |
Optional. This determines whether holders of the access role identified as the
first key part of this rule can run reports against the class being reported on or
listed.
Enter the When Name key part of an Access When rule, or a level value between 1 and 5. The message:
indicates that a user lacks the capability provided by this field. |
Execute Activities |
Optional. Enter the When Name key part of an Access When rule, or a level
value between 1 and 5.
If you enter a name, the system uses the Access Class key part of this Access of Role to Object rule and class inheritance to find the Access When rule. This determines whether holders of the access role identified as the first key part of this rule are denied the ability to execute activities that belong to the class identified as the second key part of this rule. |
Open Rules |
Optional. Enter the When Name key part of an Access When rule, or a level
value between 1 and 5.
If you enter a name, the system uses the class of the primary page at runtime to locate an Access When rule.
As a best practice, create the Access When rule in the Rule- base class. That
is, set the Applies To key part of the Access When rule to
This determines whether holders of the access role identified as the first key part of this rule are denied the ability to open rules with the class as a key part. |
Modify Rules |
Optional. Enter the When Name key part of an Access When rule, or a level
value between 1 and 5.
If you enter a name, the system uses the class of the primary page at runtime to locate an Access When rule.
As a best practice, create the Access When rule in the Rule- base class. That
is, set the Applies To key part of the Access When rule to
This determines whether holders of the access role are denied the ability to save new or modified rules with the class as a key part. |
Delete Rules |
Optional. Enter the When Name key part of an Access When rule, or a level
value between 1 and 5.
If you enter a name, the system uses the class of the primary page at runtime to locate an Access When rule.
As a best practice, create the Access When rule in the Rule- base class. That
is, set the Applies To key part of the Access When rule to
This determines whether holders of the access role are denied the ability to delete rules with the class as a key part. |