Groups and Data Access
The Groups and Data Access feature allows users to control data access on records, at runtime. Based on the restrictions imposed, all the options, work on the data that a particular user has access to. For example, there may be 500 records in a table, but the current user only has access to 100 of them. In this scenario, if the user tries to draw a chart for the data, the application would only consider the 100 values that the user has access to, and would draw the chart based on those values.
To implement the data access policies, we first need to create groups of relevant users. These groups are then given corresponding data access.
Imagine a company with two offices in the same city. The downtown office is small and reserved for top executives because of its prestigious location, making it the official company address. However, due to limited space, most employees can’t work there. Instead, middle managers and other staff work from a separate back office located in another part of the city.
In this setup, Diana Ross and Kevin Charles are based in the back office, while their manager, Uma Jenkins, operates from the downtown office. Uma wants access to all employee records, but Diana and Kevin should only be able to view information about back-office employees. To enforce this, Diana and Kevin can be assigned to a “back office group,” with specific data access restrictions applied to limit their view to back office records only. Let’s go over how this access control can be set up.
Step-by-Step guide to create group and implement data access
Step 1: Invoke the Groups and Data Access option
Click on the App Settings icon 
and select the Application Settings option.
In the App Settings panel, click on the Groups and Data Access option.
Step 2: Create a group
Click the + Create Group button.
The Create Group window is displayed. This window lists all the users of the current portal.
Provide Group Name and Description.
Select the desired users to be included in the group and then click the Create Group button. As per our usecase, we would add Diana Ross and Kevin Charles to the group.
The group is created with the selected users.
Now let us configure who much access the groups members are given.
Step 2: Apply Data Access rule
Click the group name.
Click the Data Access Tab.
Click the Add Data Access Record link.
Select the relevant object.
Select the desired field of the selected object.
Select the suitable operator.
Select the desired value.
Click the Save button.
We have placed the restriction on the Employee data, as follows:
For the Employee records, if the Office Location is Helena Avenue Office, then show the records to the users in the Helena Avenue back office group. This means that if the office location is something else, then these records are off-limits to the members of the group.
Now lets check the data access restrictions we just imposed on Employee records, by clicking on its link.
The current logged-in user is Diana Ross. We can see that she can only see the employee records who belong to the Helena Avenue Office.
On the contrary, Uma Jenkins can see all the records as she is not a part of the group for which the data access restrictions were imposed.
Notes
One object can only be used once in data access records.
If a user wants to add other objects to the data access records, they can add using the Add Data Access Record link.
If a user wants to add other properties of the same objects to the data access restrictions, they can add using the Add Filter link.
