Record access policies
Beta feature
Beta features should be considered “in development” and may not be fully supported or complete. Beta features are available as a preview for testing purposes and may be unstable. They should be used with caution in production environments.Important
Record access policies are only available on the Skedulo Pulse Platform.Overview
Record access policies allow administrators to create filtering rules that get applied whenever data is requested via the web app, mobile app, or APIs. Record access policy rules filter the data that is returned for any given request.
Access record access policies
Note
Contact your Skedulo Customer Success representative to request access to this feature.To view and manage record access policies, navigate to Settings > Data management > Record access policies.
This page lists any existing record access policies that you have in your Skedulo instance. Each policy listed also shows whether or not it is enabled.
From this page, you can perform the following actions:
- Create a new policy.
- Edit existing policies.
- Delete policies.
Permission requirements
Only users with the Administrator role, or with a role containing the Modify record access policies permission, are allowed to create and manage record access policies.
Users with the Administrator role are automatically exempt from any record access policies and will always see all data from a Skedulo instance.
This gives administrators flexible fine-grained control over the data that each user can see based on a set of rules and conditions.
For example, you might want to enforce region isolation of your Skedulo data, where users should only see data records (such as Jobs, Accounts, Resources, etc) that belong to the region the user is associated with.
A record access policy can be configured that looks at the region associated with each job, account, resource, or other objects to be returned for a given request and filters out those with a region that is not associated with the current user.
A single policy consists of multiple filter rules. Once a policy has been created, multiple rules can be added to it, each with its own filter.
Types of record access
The normal value of Access Type is deny, which means data will only be returned if it passes the filter expression. When an object has a deny rule in effect, an allow rule can be added to override the deny rule if the given filter expression passes.
Another way to think of it is that deny filters are applied with the AND operator, while allow filters are added to any existing deny filters with the OR operator.
An allow rule on an object type that does not have a deny rule has no effect.
For example, you could have two rules on the Jobs object type:
- A rule that only returns jobs in the user’s region:
{
"description": "Deny access to Jobs unless they are in a region associated with the user",
"objectType": "Jobs",
"filter": "RegionId IN (SELECT RegionId FROM UserRegions WHERE UserId == '{{userId}}')",
"accessType": "deny",
"permissionsExcluded": []
}
- An
allowrule that also returns any jobs that have been allocated to the use (resource), regardless of regions:
{
"description": "Allow access to Jobs that are allocated to the current Resource",
"filter": "UID IN (SELECT JobId FROM JobAllocations WHERE ResourceId == '{{resourceId}}' AND Status != 'Deleted' AND Status != 'Declined')",
"objectType": "Jobs",
"accessType": "allow",
"permissionsExcluded": []
}
Important
Policy rules are extremely flexible, but can also cause the Skedulo web or mobile app to stop functioning properly if configured incorrectly. We recommend that you test new policies and their rules in a separate environment before applying them to your production system.See the API reference documentation for more information.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.