Sometimes, not everyone who should access a Block should see everything in the block. Perhaps a few tabs are for administrators only. Or end users should only see the information they enter themselves, and not see what has been entered by others. With a paid plan on GraceBlocks, this and more is possible by leveraging Block roles and security access level settings. When a builder adds a user to a Block, they will their Block role. This role is specific to that Block. (A user might have one role in one Block A, and a different role assigned in Block B.) The system will behave for each user according to their assigned role in that Block. This article covers the following:
- Block role definitions
- Security access level settings
- Example use cases
- Relational field control and security options
This visual to the right illustrates Block roles and their relationship to one another. To review how to apply a Block role to a user, see managing block users.
General: This is the most basic role available. This is the default role a user is assigned when added to a Block, but the builder can choose to give the user an increased access level role.*
Level 1: This role grants the first level of security and inherits the rights granted to General users.
Level 2: This role grants the second level of security and also inherits the rights granted to Level 1 users.
Builders: In addition to their building capabilities, builders are granted security access always at the highest level (Level 2).
Illustration: Block Roles and their relationships to one another
* 🔔 Role assignment of General/Level 1/Level 2, while possible on the free plan, is only meaningful when combined with the security settings outlined below in this article. Security settings become editable only when using a paid GraceBlocks plan.
Security access level settings
For each tab inside a Block, builders have access to a list of security access level settings. The default access level for each setting is General. This means General users have access to everything by default. However, for Zones on a paid plan, it is possible to increase the level a user must have to access the capability defined by the setting. For each setting, the options are General, Level 1, or Level 2. The table below lists all of the settings found for each tab. To find these settings, as a builder
- Select a tab inside a Block and click to edit tab settings (see managing tabs),
- Scroll to the bottom of the modal window
- Toggle on "Show user access security."
This will allow the builder to see and change the security access level settings.
The table below explains each setting and what it controls.
|View tab and my records||Controls access to the tab for users. When granted this access, the user can see the tab, and they can see records they have created or records where they are an assigned collaborator using the collaborator field type, or a lookup of a collaborator field type.||If you want to hide a tab from specific users of a Block, Grant the user General access and then put this setting to Level 1 or higher for access. In this case, Users of the General role for the Block will not see the tab.|
|View records without restriction||Controls which users can view all records of a tab. When granted access, the user is able to view every single record in the tab.||
Let's say you let employees track their personal quarterly goals. Employees and their managers only should see the employee's goal. To do this, you would first create a collaborator field for the Manager. Employees would indicate their manager in this field as a collaborator. Then you can set employees and managers to the General role in the block and Administrators to Level 1 access. By setting View tab and my records at General and View records without restriction at Level 1, they will only see the records they create or where they are the assigned manager. However, Administrators, if granted Level 1 access, will be able to view all goals entered.
This setting must be equal or higher than what is set for the View tab and my records setting.
|Add new record||Controls which users are able to add a brand new record to the tab. When granted access, users can add new records to the tab using all options available while logged into GraceBlocks.||If users should only review records but not add new ones, this setting can be set to a higher level, such as Level 2. Doing so would block any General and Level 1 users from accessing the add new record option within the block. (Any external web forms would still be accessible if published for people to access. They are not controlled by this setting.)|
|Allow collaborator record editing||
🔔 A user can always edit records they have created in a tab regardless of whether their security level meets this setting's prescription.
|Generally, this setting should follow the same security level access granted for the setting: View tab and my records. That means users can edit the records they can view because they are collaborators. For example, if you put this setting to Level 1, you can let individual employees have General access to only edit their personal goals while their managers can be given Level 1 access to be able to edit the records where they are the assigned Manager.|
|Edit any record||Controls which users can edit all records of a tab. When granted access, the user is able to edit every single record in the tab.||
Generally, this setting will often follow the same security access level for the setting: View records without restriction. It would users of this security level to view and edit all records. For example, if you put this setting to level 2, you can have only administrators see all records in the tab, while all other users are set to either General or Level 1 access and only either view or edit records where they are assigned collaborators or the original creator of the record.
This setting must be equal or higher than what is set for the Allow collaborator record editing setting.
|Controls access to the share feature on the tab. When granted access, the user is able to share records with people who are not necessarily users of GraceBlocks.||If you want to limit who can share records, use this security access control option to lock it down. For example, if set to Level 2, only those users with level 2 access will be able to use the share function in the tab.|
|Controls access to the download feature on the tab. When granted access, the user is able to download .csv files of the records they are able to access in the tab.||If you want to limit who can download records, use this security access control option to lock it down. For example, if set to Level 2, only those users with level 2 access will be able to use the download function in the tab.|
|Controls access to the print feature on the tab. When granted access, the user is able to print records they are able to access in the tab.||If you want to limit who can print records, use this security access control option to lock it down. For example, if set to Level 2, only those users with level 2 access will be able to use the print function in the tab.|
|Controls access to the remove records feature on the tab. When granted access, the user is able to delete records they are able to access in the tab.||If you want to limit who can delete records, use this security access control option to lock it down. For example, if set to Level 2, only those users with level 2 access will be able to use the remove records function in the tab.|
Access spreadsheet view
|Controls access to the spreadsheet view feature on the tab. This view is where most features related to building can occur. It's also the view that supports easily mass updating data. When granted access, the user is able to access and use spreadsheet view.||
You might want to limit who can access spreadsheet view for a few reasons:
1) Quick view loads faster
2) Quick view's first column is the record identifier and is locked as you scroll horizontally, which helps understand which record you are working with
3) Having fewer options for viewing data simplifies the user experience.
4) Users with spreadsheet view are able to apply mass edits via spreadsheet actions like copy/paste and dragging down cell records. If you are concerned the average user may accidentally corrupt your data, it is worth limiting access to this view.
To lock down access, for example, set access here to Level 2. then only those users with level 2 access will be able to use the spreadsheet view function in the tab.
Relational field control and security options
The security that is defined on the tab combined with the user's role will impact the options a user will see when interacting with a relational field. For example, let's say you are working with job requisitions and they have been set so that General access level users can only see job requisitions that they either create or are a collaborator. Now, let's review if job requisitions are a relational field on another tab, for example, Candidates. In this example, when the General access level users are selecting Jobs from the Candidate's tab, they will only see jobs they created or where they are a collaborator.
This is only one basic aspect of how control applies to relational fields. It's also possible to further limit the options that appear as well as entirely suppress relational fields from view where necessary. Learn more about this by reviewing options available under more field options when editing a relational field.
Learn more here: Field type: relational.