I think there might be a bug in the field level permission settings in that the EVERYONE role overrides other roles.
I’m trying to lock down a single field in a Module to be edited by a “Manager” user. The use case is that a user in role everyone submits a request, and a manager approves or declines the request.
I’ve created a role of Manager and assigned that to a user.
At the Pages level I’ve set Read to: allowed, and Inherit for the other two. So the page content is visible to all roles.
On the Record page for the module with the field to be locked I’ve set the following for all roles:
Allow on Read Module, Read Record and Update Record. Inherit on all others.
This allows everyone to edit / create records in the module in all fields. So far so good.
At this point at the specific field level in the module, all fields are Inherit, which means all fields are editable.
Next, I want to set Role Everyone to Update Deny, Set Role Manager to Update Allow for the individual field I want to lock down.
This SHOULD result in the field being non editable, EXCEPT by the Manager.
However, the setting in role EVERYONE always takes precedence.
If I turn it around and set Everyone to Allow and Manager to Deny, The Manager can still edit the field.
So here, again, the role Everyone wins out. This means that even if I create a new set of roles, the default Everyone role will impact me.
Am I missing something in the authorisation hierarchy, or is there a legitimate bug here?
Thanks for your thoughts!