Permission Rules for Users with Multiple Roles
In real-world business scenarios, a single user may take on multiple roles simultaneously. Since different roles can have different permission settings for the same worksheet, it's important to understand how permissions are determined when a user is assigned to multiple roles.
Three Permission Levels in Role Configuration
Let’s first understand the three levels of permission configuration for roles:
-
L1: View-level Permissions
Define whether the role can view, edit, or delete records within a specific view.
-
L2: Record-level Permissions
If viewing is allowed, specify whether the user can view all records or only those they are involved in. Similarly, editing permissions may apply to all records or only the ones the user owns.
-
L3: Field-level Permissions
Determine which fields are visible or editable during record creation, viewing, and editing. This level also includes system actions like share, import, print, and custom actions.
When Do Multi-Role Permissions Matter?
Permission merging occurs when a user is assigned to multiple roles that all have permissions configured for the same worksheet.
If each role has permissions configured for different worksheets, then each role operates independently. For example:
- Role 1 only has access to Worksheet A
- Role 2 only has access to Worksheet B
A user assigned to both roles will simply inherit Role 1’s permissions for Worksheet A and Role 2’s for Worksheet B.
How Are Permissions Merged?
Permissions in a worksheet are configured at the view level. When merging permissions for multiple roles:
- Lists all permission settings for each view.
- Compares permissions across roles at each level (L1, L2, L3).
- Merges permissions by taking the most permissive value at each level.
Example 1
Permissions for Role 1:
Permissions for Role 2:
Merged Permissions:
Both roles have permissions set for the same worksheet, so permission merging applies.
As shown below, the permissions from both roles are broken down into three levels and merged by taking the union (maximum permission) at each level.
Example 2
Permissions for Role 1:
Permissions for Role 2:
Merged Permissions:
Again, both roles are configured for the same worksheet. The resulting permissions are obtained by combining the most permissive settings across roles.
Explanation:
Even though Role 1 is configured with record and field-level permissions (L2: "Edit all records", L3: "Edit all fields"), the L1 setting for View B is "No edit permission".
So, for View B, the user ends up not being able to edit any records or fields, because L1 restricts editing entirely—this overrides more permissive L2 and L3 settings for that view.