This page describes record view security and how to configure it.
If you're new to configuring security on your record type, see Security in Appian Records to learn how the different security configurations impact a user's ability to see your enterprise data.
Appian makes it simple to secure your enterprise data at a granular level when you use record-level security to specify who can see which records. But records are more than just a row of data—they’re a combination of data, record views, and record actions.
Using record view security, you can further secure your records by determining who can see specific record views and when.
By default, any user who can see a record can see all record views. These users will always see the default record views—Summary, News, and Related Actions—since they provide general information about a record.
However, you can conditionally show or hide any additional record views you've configured, so you can make those insights available to the right users at the right time.
For example, let's say you configured record-level security on the Case record type so that technical leads and support engineers can see all cases. But each case has an additional record view, the Customer Feedback view, which should only be visible to the assigned support engineer when the case is closed.
To show or hide additional views like Customer Feedback, you can configure one the following options:
In the latest version of Appian, existing Visibility expressions configured on your record views are now called Security Expressions.
When you enable data sync on your record type, you can configure easy-to-maintain security rules on your record views.
Similar to security rules configured in record-level security, security rules configured on your record view allow you to translate your complex security requirements into plain language. You'll only need to answer two questions: who can see this view? and when can they see this view?
The first element of a security rule determines who can see the view.
By default, all users who can see the record can see the record view. Your security rule allows you to limit who can see the view to only users who can see the record and are found in specific groups or fields.
With the Only users found in groups option, a user can only see a record view if the user can see the record and is found in any of the groups you specify.
For example, in a Customer record type, you may have a record view called Customer Payment Plan, and you only want the finance department and executives to see this view.
To configure this security requirement, you can create a security rule on the Customer Payment Plan record view that specifies that any user who can see the customer record and is found in the Finance Department group or the Executives group can see the record view.
If a group doesn’t exist yet, you can create a new group directly from the security rule. Simply click to create a new group and use it in your security rule.
With the Only users found in fields option, a user can only see the record view if the user can see the record and is found in any User or Group fields you specify.
For example, on the Case record type, you may have a record view called Customer Information that displays the customer’s contact information and other related information. To keep the customer’s information protected, you only want the assigned support engineer and the customer’s account manager to see this view.
To configure this security requirement, you can create a security rule on the Customer Information record view that specifies that any user who can see the case record and is found in the
assignedEngineer field or the
accountManager field can see the record view.
You can combine the Only users found in groups and Only users found in fields options, so that a user can see the record view if they can see the record and are found in a group or in a field.
For example, in an Employee record type, you may have a Performance Review view. You want only the employee, their manager, and Human Resources to see this view.
To configure this security requirement, you can specify that if a user can see the employee record and is found in the Human Resources group or is found in the
supervisor field or the
username field, then they can see the record view.
This example uses a record type relationship with the User record type. Selecting the
username field from the User record type is similar to using the
loggedInUser() function to determine who is looking at the record view.
Once you determine who can see the record view, you can add security conditions to specify when they can see the view.
The field picker contains all record fields and relationships defined on the record type.
When creating multiple conditions against fields from the same one-to-many relationship, Appian will combine those filters using the AND_ALL operator. This includes when a field in the Only users found in fields option and the fields used in your security conditions are against the same one-to-many relationship.
For example, on the Customer record type, say you have a Cases view to display all cases related to the customer. You only want support engineers who are assigned to an open case for that customer and that case has a service-level agreement (SLA) status of "On Time" to see this view.
The security rule configuration would look something like this:
Since the fields used in the security rule are all from the same one-to-many relationship, the
AND_ALL operator will be applied so that only users who meet all of the security conditions can see the view.
The operator list displays all of the operators that can be applied to the selected field. Only operators that are compatible with the data type of the selected field display.
The following tables explains the behavior of each available operator:
|Operator||Description||Applies to Data Types|
||Equal to||Text, Integer, Float, Time, Date, Date and Time, Boolean|
||Not equal to||Text, Integer, Float, Time, Date, Date and Time, Boolean|
||Less than||Integer, Float, Time, Date, Date and Time|
||Greater than||Integer, Float, Time, Date, Date and Time|
||Less than or equal||Integer, Float, Time, Date, Date and Time|
||Greater than or equal||Integer, Float, Time, Date, Date and Time|
||Matches a value in a list of values. Only available when using constants.||Text, Integer, Float, Time, Date, Date and Time, Boolean|
||Does not match a value in a list of values. Only available when using constants.||Text, Integer, Float, Time, Date, Date and Time, Boolean|
||Is empty or null||Text, Integer, Float, Time, Date, Date and Time, Boolean|
||Is not empty or null||Text, Integer, Float, Time, Date, Date and Time, Boolean|
You can select how you want to pass in the condition value using the value context menu. The options in the context menu change based on the data type of the selected field. You can enter a static text value, or use a constant to determine the value the field must evaluate to in order for users to view the record.
You can only add a security rule to a record view if your record type has data sync enabled. If your record type does not have data sync enabled, you must configure a security expression to secure your record views instead.
To add a security rule:
Select Only users… to specify that only users who can see the record and are found in specific groups or fields can see the record view.
|If you want to...||Then...|
|Add users from a group||
|Add users from a field||
|Add users from a group or field||
After you configure and save a security rule on a record view, you can edit it at any time.
To edit a security rule:
While security rules allow you to configure most of your security requirements, you may choose to configure a security expression if you need to configure more complex security conditions, or if your record type does not have data sync enabled. Depending on whether your record type has data sync enabled or not, the place where you configure and maintain your security expression will differ.
A security expression allows you to show or hide the record view from certain users based on the conditions you specify in the expression. A user can only see a record view if the security expression evaluates to true for that user.
For example, in the Employee record type, you may have a Promotion Plan view that displays an employee's next step in their career, their potential salary increase, and more. However, you only want employees to see this view if they have been at the organization over a year, and they are not in the Performance Improvement group.
Since this example requires users not to be included in a group, you could create a security expression on the Promotion Plan record view that looks something like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 if( and( rule!getTenure(loggedInUser()) >= 1, not( a!isUserMemberOfGroup( username: loggedInUser(), groups: cons!PERFORMANCE_IMPROVEMENT_GROUP ) ) ), true, false )
To add a security expression on a record view when your record type has data sync enabled:
To add a security expression on a record view when your record type does not have data sync enabled:
If you decide that you'd rather maintain your record view security using a security rule, you can replace your security expression with a security rule at any time. You can only perform these steps on a record type with data sync enabled.
To replace a security expression with a security rule:
Record View Security