Access control

Platform provides a rich variety of mechanisms for access control that let you specify which users have permission to access particular applications, objects, fields, and other components. These mechanisms include:

• Role-based access control, where you set permissions based on users' roles.
• User-based access control, where you set permissions for individual users.
• Relationship-based permissions, where you set permissions based on users' relationships to objects.
• Location/Department/Function (LDF) permissions, where you allow access to particular objects and/or relationships based on a hierarchical grouping of users.

You can choose to use the mechanisms that best meet the needs of your application and organization. The detailed setting of all required permissions can be a tedious task, but it gives you full control over user access to all data in Platform.

Platform checks permissions using the above mechanisms at the following times:

• When displaying applications and menus available to the current user.
• When displaying a list of records in a view or chart. If the user does not have access to certain records (because of relationship-based permissions or LDF), they will not be shown.
• When displaying a page to view or edit a particular record. If the user is trying to access a record without authorization, Platform displays an Access Denied error message:
• When presenting a list of records to create relationships (either in a p window or a picklist).
• When displaying search results.
• When accessing Platform through APIs.

When displaying links to related records, Platform does not check permissions for the current user. Permissions are checked, however, if the user tries to navigate a related record.

The following topics describe how the mechanisms work and how to implement each.