curtiplas Frequent Contributor.
Frequent Contributor.

File Field Restrictions

Hello All,


I'm developing a new Process app for our internal org to manage Employee Life Cycles at our organization. Part of the employee life cycle involves the completion of a 30, 60, and & 90 day probationary plan. Our intent is to have the manager of that particular employee upload a signed PDF of those completed probationary plans to the ELCM item. I'm also driving some of the workflow/notifications, and other items off the uploading of these completed files, so I've created a file field to accommodate these attachments.

I've locked down the application such that all managers belong to a "Manager" security role, HR belongs to an "HR" security role, and myself (admin) belongs to an "Administrator" security role. Only these three roles have access to the field field in question (there are other security roles in the process app).

Is there a way to make it such that a manager can not view the attachments uploaded by different managers? I'd be okay if these attachments didn't even show up int he list.
3 Replies
Micro Focus Contributor
Micro Focus Contributor

Re: File Field Restrictions

Hi Curtis. If you were using traditional file attachments, I think you could restrict access to the attachments better without restricting access to the items to which they are attached. With the file field, it is much like other fields, and you can use field sections and item privileges to restrict. It sounds like you have already applied the field section permissions - so you would likely need to establish a scenario of access for managers based on owner/secondary owner fields. HR and Admins could possibly have enough privileges not to be restricted by ownership.

The options above in general are best because it is secured at the server side. if you are comfortable with simply obscuring access, then client-side javascript in the form could possibly be used to hide/show the field based on the current user. The easiest way to scale this approach would probably be to have fields on the form that contain the permitted users (by individual reference or group), a rule that would be true when current user is in one of those fields, and then a form action to hide the field if not true.
PM Thompson Outstanding Contributor.
Outstanding Contributor.

Re: File Field Restrictions

Here's the start of an alternate approach based on Roles ... it's a little round-about. It also leaves you to write the JavaScript to hide the "File" fields.

Assuming "Manager", "HR" and "Administrator" Roles, create 3 dummy transitions:
-- "Manager Role" -- restrict by Role to "Manager" Role
-- "HR Role" -- restrict by Role to "HR" Role
-- "Admin Role" -- restrict by Role to "Administrator" Role

These transitions will never be used .. they're just there to indicate if the User has one of the 3 Roles

On your State form; add a hidden tab or section and put 3 buttons in it. Those 3 buttons get mapped to the 3 dummy transtions:
-- btn_Manager_Role -- Behavior = Perform the "Manager Role" transition
-- btn_HR_Role -- Behavior = Perform the "HR Role" transition
-- btn_Admin_Role -- Behavior = Perform the "Admin Role" transition

Add form Actions:
-- When: Form is Loaded
-- Then: Hide the hidden tab

-- When: Form is loaded
-- If: btn_Manager_Role button is visible
-- Then: --- hide the File field or run javascript to hide specific entries in the file field that don't belong to the current user. Since "File" fields aren't real fields (i.e. don't have a column in the Primary Table), this will be ....challenging. maybe someone else has an idea.

... .etc... repeat for the other 2 buttons

Deploy and assign the "Manager", "HR" and "Administrator" Roles to the appropriate Groups. Anyone with the "Manager" Role will only be allowed to execute the "Manager Role" transition .. the other 2 transition buttons will be hidden. The Form Actions detect this and hide stuff the "Manager" Role isn't allowed to see.
Because the transition buttons are on a hidden tab/section, they can't be clicked.

This would be simplified if there was a "UserHasRole" JS function.
markquah Absent Member.
Absent Member.

Re: File Field Restrictions

My requirement is slightly different. User wants to specify who can view the document.

A separate work flow for storage of sensitive document is created. User will post a new sensitive document records form the main record. He can have full control of who can view the documents by selection of the owner/secondary fields. He then adds the attachment into the sensitive document records.

Use an embedded reports to display the documents in the main records.

The sensitive document record is now used storing all sort of financial records from many workflows.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.