Skip to main content

OrgChart Help Guide

Branch Level RLS Example

Audience:

Audience: Administrators Edition: Enterprise

Overview

Branch Level RLS allows Administrators to restrict access to certain fields for the branch of the assigned user. For example, you can restrict managers to view only the Salary data for themselves and their subordinates.

The following article provides step-by-step instructions for configuring a Conditional RLS profile using the Branch Level rule type.

Configuring a 'Branch Level' RLS Profile
  1. Log in to OrgChart.

  2. Click on the Mode Switcher icon in the Top Toolbar, and then select the Setup option. The Setup panel is displayed.

    Setup_Account_Settings_Select.png
  3. Click on the Account Settings tile, and then click on the Security tab in the left side menu.

    5_2_2_Security_Panel_with_Arrow.png
  4. Click on the Create New Profile button (under the Row Level Security heading). The Security Configuration panel is displayed.

  5. Enter a name for the profile in the Name text box.

  6. Optionally, enter a description of the RLS profile into the Description text box.

  7. Click on the 5_2_RoundPlus_icon.png icon (to the right of the Security Rules heading). Conditional Rule 1 is added to the Security Rule column.

  8. Click on the 5_2_RoundPlus_icon.png icon (to the right of the Definitions heading). The Conditional Definition Editor panel is displayed.

  9. Click on the Rule Type dropdown menu, and then select the Not In option.

  10. Click on the New Condition button.

  11. Click on the Field dropdown menu, and then select the Switch to Branch Level option.

    5_2_RLS_BranchLevelRLS.png
  12. Click Save. The conditional definition is displayed in the Definition column.

  13. Click on the 5_2_RoundPlus_icon.png icon (to the right of the Fields heading), and then select a Field from the dropdown menu.

    5_2_RLS_BranchLevelRLS_Fields.png
  14. Click Save.

  15. Assign this RLS profile to an Access Group. Reference the Row-Level Security article for instructions on how to assign an RLS profile to an Access Group.

Testing Permissions

Administrators can login as users with different levels of access to test permissions. Reference the Admin User Impersonation article for more information.

The following section tests the Branch Level RLS profile configured above, which states employee records that are NOT IN the Self + Subordinates Branch Level of the assigned user do not display Budget or Salary.

Without Row Level Security
BLRLS_NoSecProfile.png
With Row Level Security

The following screenshot is the result of the Branch Level RLS when signed in as Pauline Dinh:

BLRLS_SECAPPLIED.png