To avoid this heading down a path that will cause confusion, let me try
and
provide some insight into what is happening and you should find that all
permutations of what you are getting, what folks remember, or when
things might
or might not be visible are explained.
If a field is assigned access to a group and YOU are a member of that
group
-- You will see the field AND you will see data in the field
-- You can read the data and if the group is assigned change access,
change
the field (within licensing restrictions of course)
If a field is assigned access to Public
-- EVERYONE can see the field AND EVERYONE can see data in the field
If a field has the "Allow any user to submit" option set
-- REGARDLESS OF ANY GROUP ASSIGNMENT, EVERYONE can see the field
(you have said that ANY user can submit data so they have to
be able
to see the field to submit things)
-- Whether they can see data or not is dependent on other group
settings
if NO other groups are assigned, then there will be no data
access but
you can see the field
If the Submitter, Assignee, Assignee Group, or the other implicit row
level
security groups are assigned any permission
-- REGARDLESS OF ANY GROUP ASSIGNMENT, EVERYONE can see the field
(you have said that if their group membership matches, they
can see
the data so that means they have to be able to see the field)
-- Whether they can see data or not is dependent on the CONTENT of
the
field or fields on the form that match the groups assigned
permissions
So, if ANY of the following things are true, you can see the field:
1) You are a member of a group assigned permission
2) The field has "Allow any user to Submit" assigned
3) The field has any of the implicit groups assigned (Submitter,
Assignee,
Assignee Group, or the other 1000 row level security groups you
can
create)
If NONE of these are true, you cannot see the field under any
circumstances
Once the field is visible, permissions control whether or not you can
see the
data in the field. So, just seeing the field does not mean that you can
necessarily see data in the field. OR that you can see the data for all
rows.
You may be able to for some rows but not others because of row level
security.
In the different scenarios being discussed, the permission of the group
is
generally checked and it is found that the user doesn't have permission
by
an explicit group assignment. However, the "Allow any user to submit"
or the
use of implicit groups is generally not looked at and that is the source
of
why a field would be visible when not expected.
If you look at all the items noted here, I think you will find that the
field
is visible or not and the data within it is visible or not consistently
under
the rules stated.
I hope this helps stop confusion about the rules of field visibility.
Doug Mueller
-----Original Message-----
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin
Sent: Monday, April 07, 2008 6:29 AM
To: arslist@ARSLIST.ORG
Subject: User can see fields with no permissions
Dear List,
We have a permission group called "IT". We have a form with some fields
that "IT" used to have permission to, but we have decided to remove
those permissions. So I went into the Admin Tool and removed "IT" from
the permission list in each field.
But when a test user with only "IT" permissions opens the form he can
still see all the fields. If he tries to change the data and save the
form he gets, "ARERR [333] You have no access to field : [field name]",
but with "no access" he shouldn't even be able to see the field.
I cleared the cache, and made a cosmetic change, and the cosmetic change
appears on the screen, so it isn't a caching issue.
What is going on?
(ARS 7.1, RH Linux server, Oracle 10.2 db)
Dwayne Martin
James Madison University
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
