Row level security means that the security access rights is not only set on specific windows or specific functions. It means that you can specify what data the user is allowed to view and operate on. The Foundation1 Framework supports this functionality with a Security Check or Predifened Row Level Security, but in other cases row level security must be constructed in each entity where this is needed.
The data a user can operate on is restricted to the data the user can query from the views. The row level security filter should be built into the views so only the data the user should have access to is returned.
Example 1:
The view adds the restriction that you can only see Quick Reports where you are the owner.
Example 2:
This view adds a restriction to only show data based on a setup made in
another entity, in this case
UserAllowedSite.
The UserAllowedSite entity defines which sites a user should be
able to query data from. An administrator with access to the UserAllowedSite
registration window can manage what data other users can see in all views where a
condition like WHERE site IN (SELECT site FROM user_allowed_site_pub p
WHERE p.site = site) is added.
In IFS Applications there are some predefined filters for row level security that can be applied to a view by setting a property in the entity model. The existing row level security filters are listed in the modeling reference documentation DbRowLevelSecurity.
Example 3:
Two row level security filters are added to the base view for the entity.
The @SecurityCheck annotation can be used to enforce security checks related to application business logic. This could be used to verify whether the current user has the rights to modify data related to a particular company or select data from other views than the base view.
Anywhere data should be filtered based on who is querying you should add a where statement in the view, if the Framework services from above could not be used.
An administrator can configure custom row level filters. This is not a development step. Instead you can do this in Solution Manager on a specific permission set. But this only applies to activities which is mainly used in integrations with other applications. Read about Permission Set Filters for more information.