Feature - Enhanced Security for Attributes
Prior to this update, all Attribute records were visible to all users, and users could be restricted to not be able to change and/or delete Attribute records created by someone else through User Global Security flags. This release introduces two new changes:
(1) Supervisory Relationship: The supervisor of the attribute creator (owner) has the same full right to the attribute for reading, changing and deleting the Attribute. You can define the supervisory relationship in Password Setup -> Global Security -> Supervisor Relationship. See sample screen below:
(2) Attribute Shareable Flags: The Attribute master file has three new flags to control that Attribute's security: Shareable for Read, Shareable for Change, Shareable for Delete.
By default, all three flags are set to "Y." This preserves consistency with previous security functionality in User Global Security. If you set any of these flags to "N," that tightens the access to any Attributes of that type:
- Shareable for Read: If you are not the creator of an Attribute and do not supervise the creator of an Attribute, and this flag is set to "N," you will not see any Attribute of this kind attached to any record.
- Shareable for Change: If this flag is set to "N," and you are not the creator of an Attribute and do not supervise the creator of an Attribute, you will not be able to change it, even if the Global Setup Security flag Allow Change To Others' Attribute is set to "Y."
- Shareable for Delete:
If this flag is set to "N," and you are not the creator of an Attribute and do not supervise the creator of an Attribute, you will not be able to delete it, even if the Global Setup Security flag Allow To Delete Others' Attributes is set to "Y."
3. Allow Change To Others' AttributesThese two flags above are still in use after this update. But now we have three different areas that control the security in Attributes:
4. Allow To Delete Others' Attributes
A. Supervisory Relationship
B. Attribute Code Shareable Flags
C. User Global Security
Hierarchy of Attributes Security
To understand how the three different areas interact, the following is the hierarchy on how the system determines if a user has right to a particular attribute:- If the user is the owner of the attribute, then the user has the full right.
- If the user is the supervisor of the attribute owner, then the user has the full right.
- If the user is not the owner or supervisor of the owner, then it subject to the shareable flags in the attribute codes. If they are set to "N," the user will not have that particular right even if the corresponding Global User Security flag is set to "Y." If they are set to "Y," then it is subject to the corresponding User Global Security Flags. If the User Security Flag is set to "Y," then the user has the right, otherwise, the user will not have the right.
- The two User Global Security Flags are considered as the "minimum right," not the "super right." That is because even if the flag is set to "Y," it does not override the Attribute Code Shareable flags.
- Keep in mind that there are no User Global Security Flags to limit a user's right to read an attribute. The right to read an attribute is subject to the Shareable Read flag in Attribute code setup.
- To view/read an Attribute, you must be its creator, or supervise its creator, or the Attribute master Shareable for Read flag must not be set to "N."
- To change an Attribute, you must be the creator of the Attribute, or supervise its creator, or have your Global Setup Security flag Allow Change to Others' Attribute set to "Y" and the Attribute master Shareable for Change flag not be set to "N."
- To delete an Attribute, you must be the creator of the Attribute, or supervise its creator, or have your Global Setup Security flag Allow To Delete Others' Attributes set to "Y" and the Attribute master Shareable for Delete flag must not be set to "N."
JEG