About Dynamic Access Control for Objects


Dynamic Access Control (DAC) is an access control model for object records, which automates the assignment of users to the records’ Viewer, Editor, and Owner roles through “Matching Sharing Rules” and/or “Custom Sharing Rules.” DAC provides object record-level security.

Matching Sharing Rules are simple to set up and require less maintenance; you can use these rules to make the majority of your organization’s role assignments. Custom Sharing Rules require more maintenance but are useful for providing overrides in specific scenarios.

Your organization can enable both Matching and Custom Sharing Rules individually for specific objects. Using these features, you can provide object record-level access control for some objects, while other objects continue to use object-level access control through permission sets.

Matching Sharing Rules

Vault assigns users to roles on individual object records through membership in Auto Managed groups. In this setup, your organization controls role assignment by setting up rules and managing records in User Role Setup objects. User Role Setup records correspond to groups. A User Role Setup record includes a user, a role, and several “matching” fields, which qualify the user’s context for the role. Matching fields are fields that exist on both the User Role Setup object and on the object you’re securing, for example, Country or Product.

Learn about configuring Matching Sharing Rules.

Custom Sharing Rules

When using Custom Sharing Rules for an object, Vault manages users’ roles on specific object records by matching rule criteria to specific user assignments. Learn about configuring Custom Sharing Rules.

In past versions, this functionality was called Dynamic Security. In V15, we renamed the feature. Custom Sharing Rules work in conjunction with Matching Sharing Rules to provide ways of controlling access that are manageable, robust, and agile.

Object Record Roles

When an object uses Dynamic Access Control, Vault introduces roles on the object records. These roles control the type of access a user has on the record. If your vault uses Matching Sharing Rules, these roles map to Application Role records with the same label.

Owner

The user who creates a record (after Dynamic Access Control is enabled) automatically gets this role. With this role, you can:

  • Assign additional users/groups to the Owner, Editor, or Viewer roles through manual assignment
  • Remove users/groups from the Owner, Editor, or Viewer roles by editing manual assignments
  • View and edit the object record details
  • Select the object record in an object reference field or when creating a relationship between two object records
  • Delete the object record

The only additional privilege Owners have over Editors is the ability to add/remove users from the Owner role.

Editor

Users must get the Editor role through a sharing rule or through manual assignment. With this role, you can:

  • Assign additional users/groups to the Editor or Viewer roles through manual assignment
  • Remove users/groups from the Editor or Viewer roles through manual assignment
  • View and edit the object record details
  • Select the object record in an object reference field or when creating a relationship between two object records
  • Delete the object record

Viewer

Users must get the Viewer role through a sharing rule or through manual assignment. With this role, you can:

  • View the object record details
  • Select the object record in an object reference field or when creating a relationship between two object records

Custom Role

In vaults that use Matching Sharing Rules, Admins can add more application roles to the object.

The available actions for a custom roles are based on the permission setup for the object:

  • Read: View the object record details and select the object record in an object reference field or when creating a relationship between two object records
  • Edit: Edit the object record details
  • Delete: Delete the object record

Users with a custom role cannot use manual assignment. Users with the Editor or Owner role cannot assign users to custom roles via manual assignment.

No Role

Without a role, you cannot see the object record details, including details visible on the hover card. You also cannot select the object record from an object reference field or when creating a relationship between two object records. If a field would default to an object record that you can’t access, Vault does not apply the default value. 

Dynamic Access Control does not prevent you from seeing object records that link to the record you cannot view. For example, Gladys does not have a role on the product CholeCap, but does have Read access on several Product Label object records that link to Cholecap.

Roles & Access After Enablement

Immediately after enabling Matching or Custom Sharing Rules on an object, there will be no role assignments on the object records. At this point, only users with the Vault Owner Actions: All Object Records: All Object Record Edit permission can access records in order to manually assign access. By default, only the Vault Owner security profile includes this permission. Make sure that the user enabling and configuring access control has the appropriate permissions.

Role Assignments on Object Records

There are three ways users can get access to an object record:

  • Matching Sharing Rules assign an Auto Managed group (maintained via User Role Setup records) to a role on any record where the record’s matching field values align with the User Role Setup record values.
  • Custom Sharing Rules define a query and assign specific users to roles on any record that meets the query criteria.
  • Manual Assignment allows a user with appropriate permissions to navigate directly to the record and add specific users/groups to roles on that record only.

Manual Assignment

When you enable DAC (through “Matching Sharing Rules” or “Custom Sharing Rules”) for an object, users with the Editor or Owner role on an object record can manually share that record by adding another user to a role. Users with the Edit permission on an object record can add or remove manual assignments for any standard or custom role configured in the object lifecycle. Note that users must be assigned to the Owner role to add or remove an owner. 

Users can never use manual assignment options to remove groups assigned through sharing rules.

How to Manually Assign Users

To manually assign users:

  1. Navigate to the object record details page, and then to Sharing Settings. You can access records through Admin > Business Admin or a custom tab.
  2. In the Access via Manual Assignment panel, click + Add.
  3. Select a Role. (See role details.)
  4. Select one or more Users and Groups.
  5. Click Save and review the new assignments.

To remove a user or group from a manual assignment, use the Actions (gear) menu on the individual assignment and select Delete.

Viewing Record Sharing Settings

If you have access to view an object record, you can navigate from that record’s details to its Sharing Settings page. On this page, you can see any role assignments that apply to the record.


Last Updated: