Manage record access policies
Beta feature
Beta features should be considered “in development” and may not be fully supported or complete. Beta features are available as a preview for testing purposes and may be unstable. They should be used with caution in production environments.Overview
When a new policy is created, its status is always set to Disabled by default.
A policy and its rules won’t be in effect until its status is set to Enabled. This gives administrators the ability to build and configure new policies before they are activated across the system for all users.
The status of a policy can be enabled or disabled by editing the details of a single policy.
Once a policy status is enabled, its rules will take effect immediately across the system.
Enable a record access policy
Record access policies can be enabled from the Record access policies settings page.
- Click the name of the record access policy you want to enable from the list of policies.
- Change the policy Status to Enabled and then click Save.
Once enabled, the policy and its rules will take effect immediately across the system.
Edit a record access policy
To edit the details of an existing policy, navigate to the policy’s details screen.
From this screen you can make the following changes to existing record access policies:
- Edit the policy name.
- Edit the policy description.
- Change the status of the policy.
- View the details of each policy rule.
- Delete the policy.
Edit a policy
- In the Skedulo web app, navigate to Settings > Record access policies.
- Open the policy you want to edit by clicking on it from the Record access policies list view.
- Make any edits you want to make to the Policy name, Policy description, or Status of the policy.
- Click Save to finalize the changes and apply them to your org.
Record access policy templates
Policy templates are policies with a set of predefined rules that enforce data access business requirements. These templates allow administrators to quickly create a new policy for a common use case without having to manually create each rule.
Once a policy has been created from a template, its rules can be edited further using the API.
Template roadmap
Skedulo may add more templates or edit existing ones over time as the overall product evolves. If a template changes in the future, any existing policies previously created from that template will not get those changes applied automatically.
Preview policy rules
The details of policy rules can be viewed without being enforced by doing one of the following actions:
- Create a policy, but keep the status set to Disabled. Click the policy name in the Record access policies page and view the rules that comprise it.
- If the policy has not yet been created, then click Create Policy and view the rules in the Create Policy page. Click Cancel to return to the Record access policies page without creating the policy.
Policy template: Data isolation by region
The Data isolation by region policy template defines rules that limit the data records that users can see to those that are associated with their region.
To use this policy, you must ensure that all non-administrator users are associated with a region. If non-administrator users are not assigned to a region, they will not see any region-based data at all and will not be able to use the Skedulo web app.
See Assigning regions to policy user groups.
Important
Allocating or offering work to users in multiple regions: If a job or shift is allocated or offered to resources in multiple regions, then schedulers who can’t see all the relevant regions will only see the allocations or offers for resources in their own region(s). This may cause the work item to appear as though it has not been allocated or offered to anyone.Manage policies via the API
Refer to the Skedulo Lens API Reference Guide for information on how to manage policies and rules via the API.
Policy rules define the data access filters for the policy. They are request query filters that limit the data that is returned for any request made by the Skedulo web app, mobile app, or API.
A rule always has to be part of a parent policy. Rules are enabled and disabled via the parent policy.
Each rule consists of the following fields:
| Field | Description |
|---|---|
| Description | A short description explaining how the filter in the rule works. |
| Object type | The name of the data object type that the rule applies to. For example Resources, Jobs, or Accounts. You can also specify a hasLookup name here that will match all objects that have a lookup relationship with the specified name, for example hasLookup:Region. |
| Filter | The EQL filter to be applied. See the developer documentation for more information about EQL filters. |
| Access type | Controls whether the rule denies or allows access to data. Valid values are deny and allow. |
| Excluded permissions | Users that have a role with any of the permissions in the provided list will be excluded from the rule. For example, you may have a rule for Jobs that denies access unless the job is allocated to the current user. This rule is intended for resources, so you can exclude schedulers by adding a permission exclusion for skedulo.tenant.schedule.allocation.dispatch. See also Functional permissions and custom roles. |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.