Rule search order

The system is aware of the instance object hierarchy when it tries to identify a security rule to apply to a particular entity in the contextual security model.

The search order for a field level rule is:

  1. explicit rule on self
  2. explicit rule on field in parent
  3. ... until parent doesn't contain field
  4. wildcard rule on self
  5. wildcard rule on field in parent
  6. ... until parent doesn't contain field

Example: Given incident.number

Search is:

  1. incident.number
  2. task.number
  3. *.number
  4. incident.*
  5. task.*
  6. *.*

Precedence between Row and Field Level Rules

What happens if a row level rule and a field level rule are in conflict? Perhaps my row level field indicates that I shouldn't be able to write to a particular row, but the field level rule indicates I do have write access?

In a nutshell, both rules must be met before an operation is allowed.

So, given a row level rule on incident, and a field level rule on incident.number, access to the number field would be allowed only if both rules evaluated to true.

Multiple Rules at the Same Level

What if the system, for example, finds two rules for incident.number?

The system will evaluate both rules and if either is true, then the requested access is allowed.