LDF groups

The Organization Management application contains a Group object that allows you to assign combinations of LDF values to groups and to add users to groups to create sophisticated organization-based permission structures. Each group has zero to three assigned LDF values. This means members of that group have permission to access to all LDF records (regardless of their object type) that match these values (root node or any node below it).

When you create a group, you give it a name and assign values to any or all of the LDF fields:

New Group

You can assign individual users to a group in one of two ways:

  • Edit a user and assign it to one or more groups. To do this, you first need to edit the Edit User page to add the lookup field Groups to the page (see Editing pages for details). The resulting selector on the page opens a window and allows you to select one or more groups:

    Groups Selector

  • Edit a group and add users to it. To do this, you first need to edit the Edit Group page to add the lookup field Users to the page (see Editing pages for details). The resulting selector on the page opens a window and allows you to select one or more users.

    Select Users for Group

The screen below shows the view page for a user who is a member of two groups. The read-only LDF Filter field shows the exact LDF permissions for the user. The LDF Filter field is useful for verifying a user's assigned permissions. The Groups field displays the user's group memberships. Within each group, attributes are connected by a logical AND. Groups are connected by a logical OR. In this example, Mike has permission to access all locations under United States for the department Operations because the Executives group is assigned the location United States:

LDF Filter

Keep the following in mind when creating groups and assigning users to them:

  • If a record has no value for an LDF field, only users whose group has no value for that field can access the record. For example, if a record has no value for the Department field, a user whose group has the value Sales for Department cannot access that record.
  • If you create a group without any LDF values, members of that group will have full access to all records with LDF permissions enabled. Only users in that group or an administrator can access a record with no assigned LDF values.
  • A non-administrative user that does not belong to any group does not have access to any records with LDF permissions enabled.
  • Administrative users have full access to all records.