Hi,
Is it possible, in a Record-List page, to filter records based on the user’s role ?
I will try to elaborate a little bit.
Let suppose there are two roles:
- “BasicRole” - members of this role must have RESTRICTED access.
- “PowerfullRole” - members of this role must have UNRESTRICTED access.
In a Record-List page a user, that is member of the “PowerfullRole”, should be able to see all records no matter the record’s owner
on the other hand
a user, that is member of the “BasicRole”, should see only records that belong to it (record.ownedBy=${userID})
I know there are workarounds like - for same module to create two distinct Record-List pages, first page will display filtered records and “BasicRole”'s users would have access here
and second page will display all records and only “PowerfullRole”'s users would be able to access it,
but in this way I will have to duplicate almost all pages (and, of course, later will be a tremendous maintenance effort).
Also, one more question please, except ${recordID}, ${ownerID} and ${userID} there are other variables that could be used into records’ filtering expression?
unfortunately no you can’t, there are many workarounds for this but it would be an ugly solution
regarding the variables, you can call the fields directly but based on the docs there are no another variables
Hi.
I’m new with this system of role managing, I normally worked with hierarchical roles typical in CRM world.
It sounds strange you can’t achieve the normal beahaviour of a CRM system: normal profile can see only their own records and profile with higher permission can see all record owned from profile with lower permission.
I want deeply understand how roles works in corteza, asap I’ll do some test, but maybe someone from corteza team will answer.
Maybe there is a way to say in “powerfullrole” that can have access to all records owned by “basicroles” in expressions input area?
Idealy, I would imagine a single contextual role but we would need to add access to role membership – I’ll make a proposal if we want to add this.
As far as how you could solve this; this is the solution that came to mind.
Two roles; one regular role for the administrator and one contextual role where you check if user is owner (I check for some module field, but same concept applies).
The regular role is assigned to the user that can see all records; the other user doesn’t get any roles (in my calse) – contextual roles are applied at run-time.
My module looks like this:
Then for the roles, I set Allow for Authenticated (everyone) role to list and search for records for this concrete module.
Next, in the module edit screen, I set Deny for Authenticated role for read records for the concrete module; and Allow for both the basic contextual role and all regular role.
This then produces the following result:
This works because whenever the contextual role applies the evaluation results in Allow.
If the role does not apply, it falls back to the next check which would be either the Authenticated or all role (in my case).
1 Like
Hi @tjerman if I want to manage something like hierarchical roles, I can achive with contextual role and condition?
Suppose I have 3 roles.
role1: ceo
role2: sales manager
role3: sales person
I want CEO can read / edit all record where owner is one user with roles sales manager or sales persone.
I want users with role sales manager can read /edit all records where owner have roles sales person
I want users with role sales person can read /edit only record where they are owner .
I suppose i can add a condition in contextual role sales manager that sound like:
owned.by.role = sales person
Is it possible?
Corteza uses a flat design so the hierarchy design is not something I would recommend doing (just because it is not natively supported).
I’m not sure you could use contextual roles to define hierarchies; they simply state when a user becomes a member of the role.
Instead of having a user with a CEO role, have the user be a member of the other two roles (so sales manager and sales person).
Contextual roles currently don’t expose access to role membership; we might change this in the future; I’ll make a proposal.
Hi @tjerman thanks for answer.
Define a hierarchy of roles is extremely typical in CRM software, so if not possibile I think it’s hard to use Corteza as CRM in the main situations.
I will play with role to understand potentialy and limits then I go back to share my experience hoping will be usefull for you.
1 Like
Hi @tjerman.
I will take in account your proposal with “regular role + contextual role”.
Thank you very much for your effort.
1 Like
Hello!
I have also encounter a similar problem. Instead of only one basic role, I have multiple roles that should only have access to records assigned to them.
- Role1 - Can see records with role assigned == Role1 (Select / dropdown field)
- Role2 - Can see records with role assigned == Role2
- Role3 - Can see records with role assigned == Role3
- Admin - Can see all records
While the solution given by @tjerman helps out, I can’t get it to work for multiple roles. Is there an elegant solution for this?
1 Like
What have you tried so far? A variation of the proposed solution sounds like it would work here also
I have a field in the module called assigne_to the field holds a user-id (same as ownedBy field)
the thing is how can I write the expression to get the current user id
I tried this but no luck
resource.values.assigne_to == ${userID}
is contextual support dynamic evaluation ?
If you’re writing a contextual role expression then you can refer to here on what all is available.
The userID is correct, but the expression is wrong – try resource.values.assigne_to == userID (without the interpolation; this isn’t java script – it’s the same thing as with field expressions and workflow expressions)
1 Like
