How to set access controls where both conditions need to be true

Hello, we are running CM 10.1 desktop client and are having trouble working out how you can change the operator between groups we have given access to from 'Or' to And.

For example, we need access to a particular folder record where staff need to be a member of Group A AND Group B to be able to view.  However it defaults to OR.

For some reason for one record type that has default record access set, we can perform a work around that applies the AND operator, but for other record types, this does not work.

Does anyone know how to set access to use the AND or + operator?

Also, I have tried using the exclude feature, however this will also exclude from view metadata, as does using the DLM feature.  What I want to be able to do is have all staff see the metadata (know that the record exists) but only allow staff that are a member of two groups be able to view the record.

  • Hello I think the "AND" security you are referring to is actually the Referenced Copy Style, try setting it up on your record type via these buttons:

  • Hi Jan, thanks for your input.

    This is good for a default group that then can be added to as opposed to instead of, i.e. the 'Or' operator.

    In our organisation we have the need to restrict some records to men only or woman only for cultural reasons. So on a ad-hoc basis, a folder may have access granted to our Anthropology team but one document inside that folder may need to be restricted to men only, but the current default method of adding access defaults to the 'or' operator, in in which case, I think you would open the record up to Anthropology and all staff that are a member of the men only group.

    We need to be able to force Anthropology AND Men Only.

  • What an interesting requirement... I think you could either have special gender specific record type or subfolder which uses referenced access controls - alternatively, if you already have "women only" and "men only" groups you could use the Record Exclusions feature, if you add a group to Exclusions list on a Record, no one in the group can see the Record.

  • I have tested the exclusion feature; however, this excludes from all access, including View Metadata, which is not necessarily what users want. You still want them to know the record exists, but just not view it. This is true for the DLM feature as well.

    It's a fun one Slight smile

  • Yep does sound like a fun one.

    Jan's suggestion of a Mens Only / Womens Only Document Record type may be the way to go then if the exclusion function is too restrictive. The 2x new records type would have a referenced access control applied to the Mens Group / Womens Group respectively (and possibly leaving the View Metadata open so others can see that it exists, but not open it).

    When a document scenario like the above pops up, you change the record type of the item from the current Document type, to the Mens Only / Womens Only document record type. This should then apply the default referenced access control in an AND fashion with the existing access control on the record.

    The main downside is I believe changing the record type of an record is an Admin permission function, so if the situation is regular enough, this approach may be non-viable.

    -Scotty

  • Hi Scotty, good suggestion.  I was leaning towards something similar, creating a sub folder doing the same thing if our users want to organise them separately.  The idea of a record time is good to and existing records can be converted to.  We have a helpdesk for staff to request that sort of thing so it wouldn't be too much of a hassle.

    Thanks for that. Some really good ideas.