Advanced Record Type Security
Why do we need to talk about record type security? Securing content by using Record Types is a simple function in docMgt. Set up a Record Type and give users and teams “No Access”, “Read Only Access” or “Read/Write Access” and you are done – right? Well, maybe…
There are times when you need to do more than that. For example, a company may use docMgt to process invoices for multiple departments. If so then how do you keep users in Department A from seeing invoices from Department B? Well you simply set up a separate “Invoices” Record Type for each department. That actually works perfectly, right? Well, maybe…
What if you then have a user or team of users (let’s call this the CFO level) who needs access to ALL invoices? If invoices for separate departments are in separate Record Types then you would then need to add the CFO user or team into the access list for all those other Record Types. Problem solved again, right? Well, maybe…
What you have done is make it hard for the CFO level to see all invoices in one view. For example, in order to see all invoices for last year they would need to search all “Invoice” Record Types separately and compile their results. This is painful and they won’t like it – I can nearly guarantee it.
Advanced Security Method
So how can you satisfy both levels of users? How can you give the CFO one place to see everything but give the departments a way to segment their data? The answer is by understanding and leveraging the full behavior of Record Types.
Remember, Record Types are not designed to be a limitation. They are a classification and nothing more. All Records are stored globally. Record Types simply allow you to classify the Records by type and use that classification for security, searching and indexing.
In the example above, you really need to think about how to classify the Records in question. Start with the CFO-level access and work toward the more secure department-level access. Create an “Invoices” Record Type that shows ALL invoices then the CFO level will be happy if you give them access to that. Then set up a Record Type for each department that shows them the Invoices but also filtered by Department.
Here is an example set of Record Types to demonstrate this concept:
‘Invoices’ Record Type
| Field | Value | Filter |
|---|---|---|
| RecordType | Invoices | Invoices |
| Department | * | |
| Vendor | ||
| Etc |
‘Invoices – Dept A’ Record Type
| Field | Value | Filter |
|---|---|---|
| RecordType | Invoices | Invoices |
| Department | A | A |
| Vendor | ||
| Etc |
‘Invoices – Dept B’ Record Type
| Field | Value | Filter |
|---|---|---|
| RecordType | Invoices | Invoices |
| Department | B | B |
| Vendor | ||
| Etc |
In the above example you give CFO access to only the ‘Invoices’ Record Type and they will see all invoices – regardless of the Department (notice the * filter on the Department field). You give Dept A access to only the ‘Invoices – Dept A’ Record Type and they will see only the invoices where the Department field is set to A. You give Dept B access to only the ‘Invoices – Dept B’ Record Type and they will see only the invoices where the Department field is set to B.
You are really looking at the same Records but the different Record Types allow the information to be treated as though they were stored separately. This is the best of both worlds – logical data separation without physical data separation. The following graphics demonstrates each team’s access to the records based on the above Record Type configuration.
** One very important note on this when configuring the security for each Record Type. If you leave the Base Security setting to “Read Write” or “Read Only” then you will be tempted to set the CFO to “No Access” to the department-level Record Types. If you do this then the system will not let the CFO see the invoices that match those department-level Record Types. This is because any time you set someone to NO ACCESS that literally means – NO ACCESS. So no matter how many times you give them access with another Record Type it won’t matter. They will have no access. The proper way to make this work is to set the Base Security of the server to No Access and then add access to the Record Types the users need. This way you don’t need to specify No Access at the Record Type level so the users will be able to see what they are specifically given access to.
Added Bonus to Using This Method
There is another bonus to using this method. Not only can you now secure the invoices properly but you also have the ability to use and display different fields for each level of user. For instance, you could show Discount information that is collected through the process in a field named “Discount” to only the CFO level. Or maybe the CFO doesn’t care about the user who processed the paper work. In that case you could have a field for “Processor” in the “Invoice – Dept A” and “Invoice – Dept B” Record Types but not in the “Invoices” Record Type. And maybe Dept B wants to also track the number of hours it took to complete the processing but other departments don’t. In that case you could add a field for that to the “Invoice – Dept B” Record Type only.
‘Invoices’ Record Type
| Field | Value | Filter |
|---|---|---|
| RecordType | Invoices | Invoices |
| Department | ||
| Discount |
‘Invoices – Dept A’ Record Type
| Field | Value | Filter |
|---|---|---|
| RecordType | Invoices | Invoices |
| Department | A | A |
| Processor |
‘Invoices – Dept B’ Record Type
| Field | Value | Filter |
|---|---|---|
| RecordType | Invoices | Invoices |
| Department | B | B |
| Processor | ||
| Completion |
Summary
Record Types are very flexible and are not there to limit you in any way. Think of them as built in filters to all the data that is in docMgt and not as silos where the information resides. Thinking in terms of “silos” will limit your imagination of how to leverage the full power of Record Types.
Related Articles