How to set up "individual" record access for different users / overlapping user groups?

[polarpro]

Hey,

This is about granularity and record access. It has turned out that the FileMaker solution I developed requires a more "individual" way of dealing with user rights.

The solution holds all sorts of "knowledge management" records (hints for other users, instructions, library entries, and so on). The records of the category "Library" can be viewed by everyone; records of the category "Division A" can be viewed only by the members of division A (same for B, C, D...) Some records cannot be viewed by freelancers, some can only be viewed by the record's creator himself. Many user groups overlap. As a matter of fact, I would like to go so far that every user who creates a record decides himself which groups can view his records.

So, I am looking for a suitable way of marking users and records.

For a while I've used a user table for this; but this turned out to be not the best solution. After all, FileMaker has to check for every record in the main table if the current user has the appropriate rights ticked in the related user table. Looking up this information makes the search-as-you-type very slow, so this is not an option. Furthermore, I know that user tables can be a little tricky, if not dangerous; as Steven Blackwell points out. I'd rather use FileMaker’s Accounts and Privileges settings to get things done. However, too complicated calculations slow the system down very much.

Has anybody an idea how to set up the desired settings?

Thank you very much

Mike

[bcooney]

"As a matter of fact, I would like to go so far that every user who creates a record decides himself which groups can view his records."

Perhaps that's the key. If you let the user flag the record with which groups are allowed, and then define the RLA rule to support that.

[polarpro]

Hello,

Thank you for your reply!

This is exactly where things are getting difficult.

Currently, I have a field in my main table called "RecordAccess". Those records that can only be viewed by members of the Group "001" get a "001" written in this field.

Then there is a field "RecordAccess_USR" in my user's table, too. If a user belongs to the group "001" he has "001" written in this field.

In Accounts and Preferences there is a condition that says that a record that is marked with 001 can only be viewed, if this here is true:

Case ( MainTable::RecordAccess = "001" ; MainTable_User::RecordAccess_USR = "001" ; 1 )

In words: If a record is marked with "001" in the field RecordAccess, then the result is only true, if the user has in his related User table also "001", otherwise it is false. For all other records (the ones without 001) the statement is always true.

This approach works, but it is not very fast.

Can you think of a better approach?

(I already was thinking of setting up individual preference sets per user...)

[bcooney]

Your approach is close, but doesn't allow for each record to have multiple groups allowed to edit/view it. Additionally, your users are limited to membership in one group (is that OK?).

I see the need for two join tables. Users>Membership

When a user logins in, you can set their groups into a $$var, and the rla can use that to see if the record is accessible to them.