RLS provides an extra layer of security by restricting access to specific records, such as assets, work orders, or reports, based on user groups.
- While RBAC controls what system functions users can access, RLS ensures that only the right people can view certain records.
This is particularly useful for government agencies managing sensitive data or businesses with multiple departments handling different asset portfolios.
- Administrators can create user groups and define access to records based on factors such as geographical areas, projects, or asset types.
For example, a regional manager may only have access to properties in their assigned area, while a field supervisor may only view records directly assigned to them. This helps prevent unauthorised access while ensuring users can see the data they need to do their job.
User groups in SpyderFlow are designed as peer groups rather than hierarchical groups.
- This means that each user group grants access to a specific set of assets, and these groups are distinct in what they provide access to. For example, one user group might give access to a particular area, such as Burke, and the property assets within that area, while another group might provide access to all vehicle assets.
- When you assign these multiple user groups to a user, they will have access to all properties within the Burke area as well as all vehicle assets, regardless of which area those vehicles are located in. User groups work by combining the access provided by each group. Essentially, when a user has several user groups assigned to them, the access from all those groups is combined, allowing them to see the assets available across all the assigned groups.
It is important to note that the SpyderFlow role-based access for the user role is not carried into a user group that may have the same name (i.e. finance role and a finance user group). The user group allows access for a user to data whilst the RBAC role, the user has, allows them to perform actions on that data.
- For example, whilst there is a user role within SpyderFlow called finance user you can also have a user group called finance. The user group can have any user role type in that group it does not have to be just finance roles.
Taking this instance the user group (finance) would enable a user to see a particular asset, such as a vehicle, and their RBAC role would then govern what they could do with this asset. They use a group allows you to see an item your RBAC user role Governs what you can do on that item.
How Record-Level Security Works
To enable RLS, a system administrator must activate it under the security settings. Once enabled, all users will have RLS applied to their accounts, meaning they will only see records assigned to their user group(s).
Please see diagram below.
When RLS is enabled: each user must be assigned to one or more groups, which determine the data and functions they can access. If a user is part of a geographical user group, they will see all records linked to that location. However, if the “include directly assigned only” option is selected, the user will only see records explicitly assigned to them, even if they are part of a larger user group.
For example, if a finance user group is linked to all financial records, a user with “include directly assigned only” checked will only see finance records assigned to them personally, not all records under that group.
Setting Up User Groups
User groups allow organisations to apply access restrictions based on preset categories such as companies, clients, areas, projects, assets, and asset types.
When setting up a user group, the system administrator must:
- Name the group – The name should align with the business function, such as “Finance” or “NSW Region.”
- Activate or disable the group – Only active groups will control data access. Disabled groups remain in the system for reference but do not restrict data.
- Add a description – A brief explanation of the group’s purpose helps with future management.
- Set an email contact – An email address can be assigned to the group for managing user access requests.
- Define data access – Fields such as areas, projects, or asset types can be left blank to allow full access for that field, or specific values can be set to restrict access.
Managing Multiple User Groups
A user can belong to multiple user groups, and their access is determined by a combination of these groups.
For example, if a user belongs to:
- Area – Dubbo (which grants access to all records linked to Dubbo)
- Finance (which grants access to finance records)
They will see all Dubbo records, but only finance records that are directly assigned to them.
It is important to carefully design user groups, as each additional group further restricts access, ensuring that users only see the specific data they need.
Please see below
It is important to remember that RBAC controls provide access based on job roles, while RLS restricts access to specific records.
By integrating RBAC and RLS, SpyderFlow delivers a security framework that supports organisations in managing access to asset and data.
- This approach not only protects sensitive information but also enhances operational efficiency by ensuring that users have the right level of access to perform their roles effectively.