In this post, I’ll show you how to implement a strict record-level security model controlling access per user. After looking at the approach used until recently, I’ll show you a simpler design that leverages the latest features around synchronized records.
Database View Approach
The implementation in Appian consists of a one-to-many relationship in the database from the base record table to a second table that stores the username and the record ID this user is permitted to access.
A database view joins the two tables, and the record in Appian references this view. In the Appian record, a default filter ensures that a user only has access to “his” records.
This implementation is described in detail in this Appian playbook article. While this is scalable and works, the issue is, that Appian does not support the new synchronization features with database views, and you cannot use the latest and greatest features of records.
Synchronized Records Approach
With synchronized records and record security rules, we can implement this in four simple steps:
- Create synchronized records
- Set up security rule for user table
- Define record relationship
- Configure security rule for record table
To get started, you define two synchronized records based on the two tables. When configuring the fields for the user table, make sure to select the Record Field Type “User” for the field storing the username.
Next, define a security rule on the user table like this.
This rule defines that a user can only see his rows. This also means, that the user can only see the IDs of the related record, he has access to.
Instead of relying on a database view, create a relation between the two tables as a one-to-many record relationship.
And finally, configure the security rule for the main record like this.
The main record now inherits access control from the user table.
To combine per-user access control with role or department-based access, just add fields to your record to store the respective group IDs and add another security rule using the “Users found in fields” option. Make sure to make these fields an integer and select the “Group” field type in the record field configuration.
This simple solution does not require any database views and fully supports the latest Appian records features like custom record fields. This also greatly simplifies the aggregation of data for reporting purposes. Even more important is the ability to retrieve data directly across multiple relationships with synchronized records in one a!queryRecordType() call.
There is one more aspect I would like to point out. Appian synchronized records can use different data sources, and you can create record relationships between them. Using the approach described, you could define a record based on opportunities in SalesForce and control access through an API-supported record.