Location, Department & Function permissions

Location/Department/Function (LDF) permissions are the most complex types of permissions to set up in Platform. Typically, large organizations with complex internal policies require the level of access control provided by LDF.

LDF permissions act as filters that are applied before any role-based, user-based, or relationship-based permissions are applied. LDF permissions are set on individual records. This is in contrast to user, role, and relationship-based permissions, which are set on objects and components such as views. LDF permissions specify whether a user can access a particular record. Actions on records, such as viewing, editing, creating, and deleting, are controlled by user, role, and relationship-based permissions.

The system User object has LDF permissions enabled by default. LDF permissions are enabled by adding the Organization attribute to the object. If an administrator has disabled LDF permissions for the User object, you can re-enable them by adding the Organization attribute to the User object.

LDF permissions are based on the following objects defined in the Organization Management standard application, which you must install before you can use LDF permissions::

  • Location
  • Department
  • Function
  • Group

When you set up LDF permissions, you use Location, Department, and Function to model an organization. Each of these objects allows you to create records in a hierarchical structure, such as shown in the screen below of Department records where Telesales and Regional Sales fall under the Sales category:

Organization Management

The Group object represents a group of users. Each Group record can have a Location, a Department, and a Function, as well as a list of users who are members of the group. A user can belong to zero or more groups. LDF permissions apply to a group. A user will have the superset of the LDF permissions specified for all of the group(s) to which the user belongs. See LDF groups for more information about groups.

You set LDF permissions on records. LDF permissions are enabled for an object by adding the Organization attribute to it, which adds the Location, Department, and Function fields to the object. You then assign values to these fields in records. Users who belong to a group whose values are the same or higher in the hierarchy than the values in an object record can access that record. See Assigning LDF values to records for details about setting LDF values in records.

The example below illustrates how LDF permissions work; normal permissions are applied after LDF permissions. In this example, Joe has permission to access the Acme Lead record because the group Sales Reps has permission to access records with the location Boston and the department Sales. However, user/role/relationship permissions still apply. For example, for Joe to view the record, Joe must also have View permission for the Lead object.

LDF Example 1

The example below shows how LDF permissions work with hierarchical values. The function Sales Rep is a child of the function Sales VP. Joe can access the Acme Lead record because his group's function is Sales VP and the Acme Lead record's function is Sales Rep. However, the Lead object must allow View permission for either Joe or for the Sales Mgmt role for Joe to view the record.

LDF Example 2

The example below show how LDF permissions can prevent a user from accessing records outside of that user's organization. In this example, Joe's group has the location Boston, but the Acme Lead record has the location Chicago. Therefore, Joe cannot access the record, even if the user Joe or the role Sales Mgmt is granted user-based or role-based permission to access it.

LDF Example 3

You can set up LDF permissions in any way that matches your organization's needs.

Note: Adding LDF permissions to large number of records can affect application performance. Infinite Blue does not recommend adding LDF permissions to dependent objects (such as order line items) which are accessible only through a master object (order).

Follow these general steps to implement LDF permissions:

  1. Install the Organization Management application. See Installing and updating applications from the Marketplace App for information about installing applications.
  2. Create records in the Location, Department and Function hierarchies as required.
  3. Define groups for your users and assign LDF attributes to each group.
  4. Enable the

    Organization

    attribute     on objects for which you want to user LDF permissions.
  5. Assign LDF values to object records.

The following topics describe how to set up LDF permissions.