Manage record access policies

Overview

When a new policy is created, its status is always set to Disabled by default.

A policy and its rules won’t be in effect until its status is set to Enabled. This gives administrators the ability to build and configure new policies before they are activated across the system for all users.

The status of a policy can be enabled or disabled by editing the details of a single policy.

Once a policy status is enabled, its rules will take effect immediately across the system.

Enable a record access policy

Record access policies can be enabled from the Record access policies settings page.

  1. Click the name of the record access policy you want to enable from the list of policies.
  2. Change the policy Status to Enabled and then click Save.

The edit policy page with enable and disable options highlighted

Once enabled, the policy and its rules will take effect immediately across the system.

Edit a record access policy

To edit the details of an existing policy, navigate to the policy’s details screen.

From this screen you can make the following changes to existing record access policies:

  • Edit the policy name.
  • Edit the policy description.
  • Change the status of the policy.
  • View the details of each policy rule.
  • Delete the policy.

Edit a policy

  1. In the Skedulo web app, navigate to Settings > Record access policies.
  2. Open the policy you want to edit by clicking on it from the Record access policies list view.
  3. Make any edits you want to make to the Policy name, Policy description, or Status of the policy.
  4. Click Save to finalize the changes and apply them to your org.

Record access policy templates

Policy templates are policies with a set of predefined rules that enforce data access business requirements. These templates allow administrators to quickly create a new policy for a common use case without having to manually create each rule.

Once a policy has been created from a template, its rules can be edited further using the API.

Template roadmap

Skedulo may add more templates or edit existing ones over time as the overall product evolves. If a template changes in the future, any existing policies previously created from that template will not get those changes applied automatically.

Preview policy rules

The details of policy rules can be viewed without being enforced by doing one of the following actions:

  • Create a policy, but keep the status set to Disabled. Click the policy name in the Record access policies page and view the rules that comprise it.
  • If the policy has not yet been created, then click Create Policy and view the rules in the Create Policy page. Click Cancel to return to the Record access policies page without creating the policy.

Policy template: Data isolation by region

The Data isolation by region policy template defines rules that limit the data records that users can see to those that are associated with their region.

To use this policy, you must ensure that all non-administrator users are associated with a region. If non-administrator users are not assigned to a region, they will not see any region-based data at all and will not be able to use the Skedulo web app.

See Assigning regions to policy user groups.

Manage policies via the API

Refer to the Skedulo Lens API Reference Guide for information on how to manage policies and rules via the API.

Policy rules define the data access filters for the policy. They are request query filters that limit the data that is returned for any request made by the Skedulo web app, mobile app, or API.

A rule always has to be part of a parent policy. Rules are enabled and disabled via the parent policy.

Each rule consists of the following fields:

Field Description
Description A short description explaining how the filter in the rule works.
Object type The name of the data object type that the rule applies to. For example Resources, Jobs, or Accounts. You can also specify a hasLookup name here that will match all objects that have a lookup relationship with the specified name, for example hasLookup:Region.
Filter The EQL filter to be applied. See the developer documentation for more information about EQL filters.
Access type  Controls whether the rule denies or allows access to data. Valid values are deny and allow.
Excluded permissions  Users that have a role with any of the permissions in the provided list will be excluded from the rule. For example, you may have a rule for Jobs that denies access unless the job is allocated to the current user. This rule is intended for resources, so you can exclude schedulers by adding a permission exclusion for skedulo.tenant.schedule.allocation.dispatch. See also Functional permissions and custom roles.