Roles-Based Security

Individual users inherit their security rights based upon their Security Roles. You can think of applying a Security Role to a user. It is also appropriate to state that users belong to a Security Role. One user can have an infinite number of Security Roles. One Security Role can have an infinite number of users.

Layered Security

Because individual users can have multiple Security Roles, it is appropriate to think of each role as a layer. The user’s access to information in the system is based upon the sum of all of the roles they have assigned to their record.

Additive Security

Access to certain information must be granted.  A user cannot see the item and, in most cases, has no way to know the item exists until a Security Role that can access that information is applied to the user’s record by a SPoC.  For example, most users don't know a Background Checks page exists until they are given a Security Role that can at least view that page.

The following entities must be added before a user can interact with them:

1. Pages
2. Sub Pages
3. Quick Add Page Rights
4. Reports
5. Tools
6. Explicitly Secured Actions

Gain Highest Level of Access

When a user has multiple roles impacting any of the above entities, they gain the most access afforded to them by any Security Role. For example, if a user has a role that allows them only to view/read records on the Contacts page and one that allows them to edit records on the Contacts page they are allowed to edit records on the Contacts page.

Looking at it more generically, If a user has read rights to a page via Security Role A and you're giving them another Security Role B, you don't need to add read permissions for that same page to Security Role B. The user gets all of A and all of B.

Each Role can have access to specific tools and reports if needed. 

Roles can also grant access only to specific tools/reports. You don't need to grant rights to any new page in order to use a role to give access to specific tools/reports.

Restrictive Security

Once a user has access to information, it may be necessary to restrict some part of that information. By default, granting rights to a page gives all users with that role the right to all views, fields, and records on that page. Restrictive security allows a supervisor to fine-tune what the users who have that role can actually see on the page.
 
The following entities must be restricted in order to remove them from view:

1. Specific records on a page. (for example, a celebrity’s contact record on the Contact record)
2. Specific Page Views on a page (for example, Major Donors on the Donors page) 

When a user has a role that restricts an entity in the database, that user is always restricted from that entity regardless of their other roles.