Hello Amritha,

We already have a support ticket regarding this issue.

Please refer to your case regarding this issue.

Thank you,

Artem.

Adding to the above question, noticed that access assigned record level to any records is not working as expected. Even if all the users are given only read access, still the users are able to edit the record in  7.18.5.1500 version

Amritha Mayan Gorky,

Hello, 

In our system Managers of a group inherit all the access rights of other users in this group. It's expected oob behavior and this logic cannot be overwritten with a business process, meaning that even if you remove the access rights with a help of business process, they will be granted on a system level.

As of now, such behavior cannot be changed with a help of basic system tools and require development. 

Also, we already have a corresponding query for our R&D team to implement the described functionality in the upcoming versions.

I will assign this case to the project in order to increase its priority.

Thank you for helping us to make our application better!

Best regards, 

Anastasiia

Hi Ibrahim,

just enable the record permissions in the object permissions part of the system designer.

That's exactly what you need. Only the users which are saved in the creator and owner fields will have access by default.

BR,

Robert

Robert Pordes,

Thanks Robert 

Robert Pordes,

Hello Robert, 

Many thanks for your reply!

Ibrahim Nour El-Din,

Hello, 

Let me add a bit more details to Robert's answer. 

The permission mechanism (“Use record permissions” in the [ Object permissions ] section of the System Designer) is based on the record authorship. If the record author is a member of the role specified in the “Record author” column, Creatio will grant permissions to the receiving role specified in the “User or role who obtains permissions” column. If the receiving role is subordinate, its management role will inherit the granted permissions.

However, by default, Creatio grants maximum access permissions to the following users:

- The system administrators with permissions to the “Add any data,” “View any data,” “Edit any data,” and “Delete any data” system operations. These settings have a higher priority than the settings specified in the [ Object permissions ] section.

- The record author and the management role of the author, including the ability to delegate permissions to other users.

- The record owner and the management role of the owner, including the ability to delegate permissions to other users.

Please refer to the below article for more detailed information: https://academy.creatio.com/docs/user/setup_and_administration/user_and…

In case you have any additional question, please let us know!

Best regards, 

Anastasiia

Hi Anastasiia

can you explain me which is the management role of the owner ?

A user can belong to one or more roles.

Stefano Bassoli,

Thank you for your question.

The manager of the owner of the record will also grant the same permissions as the owner of the record. In other words. if your employee creates a record, you will inherit the same permission as your employee.

Please let us know if additional questions arise.

Best regards,

Anastasiia

Hello Jana,

The tale name should be SysCaseRight.

The same works for other objects - Sys[ObjectName]Right.

Best regards,

Bogdan S.

Bogdan, thanks for you reply  Do I correctly understood that Operation: 0-Read, 1-Edit, 2-Delete. RightLevel: 1- Granted, 0-Denied. And what does Posititon and SourceId mean?

Dear Jana, 



As for the Operation column everything is correct. 

Right level: 0 - Denied 1 - Granted; 2 - Granted with right to delegate.

SourceId - Id from SysEntitySchemaRecRightSource, indicates the source from which the right was received. 

Position - priority in rights hierarchy. If denying right has a lower number in this column it will be considered above any other rule. 



Kind regards,

Roman

Amritha, 



Judging by the screenshot of the process you've sent the element "Set up Access rights " is not connected to the process. Please make sure it's connected and try again. 

If the issue persists don't hesitate to reply to this message. 



Best regards, 

Yurii. 

Few questions ,

Who creates the activity ? Is it a admin or non Admin user ? 

If its non admin user then the above process will not work since the process owner would be a non admin role and in this case you may need to do some changes in the system settings for the user to give access. 

Let me know if this solves .

sethuraghav,

Thank you for the answer, it makes perfect sense. This may certainly be the case as well. 

Hello Amritha, 

Such situation can occur if this user does not have access to dashboards editing. To grant him access, double-check the operation permissions for Analytics setup and Dashboard object permissions (both operation & record) as well. It should resolve the issue.  

Best regards, 

Anastasiia

Thanks Anastasiia,

But, we don't want to give the complete Dashboard access to the a user/role. If we do add the user/role in operation permissions for Analytics setup and Dashboard object permissions (both operation & record). By default the user/role will have access to all the tabs present in the Dashboard.

We want to restrict a user/role to a certain tab only not to add and then remove access from the remaining tab

Or create a new Dashboard based on the roles/users.

Is there a way in general Dashboard, i create a tab/use the old tab as shown in the above screenshot and give access to a user and when the user logs in can view/edit only that tab not the rest of the tabs?

Regards,

Mayan

Amritha Mayan Gorky,

Hello, 

By a default the Dashboard object permissions are set as on the attached screenshot: 

So this way All employees can edit all the dashboards and it will be enough to "Set up the access rights" for a specific dashboard to prevent All employees from editing this dashboard or grand Edit permission for a specific user.  

However, in case the operation permissions will be removed (not granted for a specific user/role) the user will not be able to Edit the dashboard even if he is added to  "Set us access rights" of a specific dashboard. 



I would advise you to set the Dashboard object permissions as mentioned and in case you need to restrict access to the dashboard for a specific role/user simply configure the "Set up the access rights" for a specific dashboard. 



Best regards, 

Anastasiia

Thanks Anastasiia. This works perfect !

Dear Paulina,

This can be achieved by using a case setting. Just add intermediate stage between final and any other stage and use option "Restrict this stage to specific users or roles" for all roles except Admin. This will allow to change the record from the final stage only to them and mark that the stage was changed for ordinary users. 

Best regards,

Angela

Hello!

It is also necessary to update the useIPRestriction parameter to true value in web.config. If you are uisng cloud instance - please approach our support team to update the value.

Apart from that, it is necessary to add the user or the role, that you want to restrict the IP access for, to the operation permission Ignore access check by IP address with NO access level.

Regards,

Dean

Dean Parrett,

Thank you Dean. It was the Web.Config setting. This was not available anywhere in the Academy/Community

Hello!

Unfortunately, there is no basic way to import/export access rights from the system since it is a complicated mechanism and it cannot be extracted from the system easily. You can use custom SQL scripts in the package in order to transfer such information. Below you can find tables that store information about access rights:

1. Sys[SectionName]Rights
2. SysEntitySchemaColumnRight
3. SysEntitySchemaOperationRight

Since it is a complicated task we suggest using the Marketplace application which can ease access rights setup: https://marketplace.creatio.com/app/access-rights-setup-wizard-creatio

Please, let us know in case any further assistance is required. 

Best regards,

Olga.