About Roles and Access Management at Field Level

I think there might be a bug in the field level permission settings in that the EVERYONE role overrides other roles.

I’m trying to lock down a single field in a Module to be edited by a “Manager” user. The use case is that a user in role everyone submits a request, and a manager approves or declines the request.

I’ve created a role of Manager and assigned that to a user.

At the Pages level I’ve set Read to: allowed, and Inherit for the other two. So the page content is visible to all roles.

On the Record page for the module with the field to be locked I’ve set the following for all roles:
Allow on Read Module, Read Record and Update Record. Inherit on all others.

This allows everyone to edit / create records in the module in all fields. So far so good.

At this point at the specific field level in the module, all fields are Inherit, which means all fields are editable.

Next, I want to set Role Everyone to Update Deny, Set Role Manager to Update Allow for the individual field I want to lock down.
This SHOULD result in the field being non editable, EXCEPT by the Manager.

However, the setting in role EVERYONE always takes precedence.
If I turn it around and set Everyone to Allow and Manager to Deny, The Manager can still edit the field.
So here, again, the role Everyone wins out. This means that even if I create a new set of roles, the default Everyone role will impact me.

Am I missing something in the authorisation hierarchy, or is there a legitimate bug here?
Thanks for your thoughts! :slight_smile:

Hi @elgaucho

I’ve tested it, and it works. Let me send you some screenshots of how I set permissions.

For the admin only I have the following permissions set:

So, as you can see, I only moved the “Everyone” tole to Deny for field update, and I set it for the Administrator role (which i use in my case) to Allow.

Now, when I view the record as the everyone role I see this in record editing mode:

But, if I am logged in as an administrator, I see:

So, as an admin I can edit the admin only field, but as an everyone user not.

Hope this helps :slight_smile:

1 Like

That’s great Lenny!
I just followed your methodology and managed to replicate the functionality as expected.
I think I’ve also worked out where I went wrong.
I had created one profile as a “role tester” in my prototyping, and I was changing his roles.
I was using a hard refresh on both instances to reset roles, apparently with mixed results.
When testing it this time, and knowing from your test that it works, I logged out of the profile between role changes, and it worked.

So the lesson learned for anyone else coming along is create completely separate profiles for each role, or as a minimum log out and back in between role changes when testing user restrictions.

Glad it worked :slight_smile:

With regard to testing with different roles: I normally use two different browsers at the same time (Firefox and Chrome), so that I’m sure that there is a clear separation in my sessions. :slight_smile: