Skip to main content
Version: Current

Understanding Data Permissions Basics (All, Own, Related)

While standard Permissions control what actions users can perform, Data Permissions control which specific records (e.g., which invoices, which suppliers) users can see within a Zudello team.

Purpose:

To restrict data visibility based on a user's role or relationship to the data, ensuring users only see information relevant and appropriate for them (principle of least privilege).

How it Works:

  • Data Permissions are configured by administrators in Team Settings > Data Permissions.
  • Rules are created for specific Resources (e.g., Transaction - Purchase Invoice, Relationship - Supplier).
  • Each rule defines an Access Type (All, Own, Related) and potentially specific Conditions.
  • These rules are then assigned to User Groups.
  • A user's visibility is the sum of all Data Permission rules granted by all groups they belong to in that team.

Common Access Types:

  1. All:

    • Grants: Visibility to all records of the specified Resource type within the team.
    • Use Case: Administrators, finance controllers who need full visibility.

  2. Own:

    • Grants: Visibility only to records where the user is listed as a direct Assignee.
    • Use Case: AP Clerks seeing only invoices assigned to them, approvers seeing only documents assigned to them via the "Requests" submodule (which implicitly uses assignment).

  3. Related:

    • Grants: Visibility based on matching data between the record and the user's profile or other accessible records. This is the most flexible type.
    • Configuration: Requires defining Conditions. You compare a field on the Resource (e.g., Invoice Department) to a field on the User (e.g., User Department).
    • Use Case Examples:
      • Allow Department Managers to see all transactions coded to their specific Department.
      • Allow users to see Suppliers located in their Country.
      • Allow users to see POs linked to Requisitions they submitted.

Interaction with Standard Permissions:

  • A user needs both the standard #VIEW/#VISIBLE permission (from User Groups) and appropriate Data Permissions to see records.
  • If a user has #VIEW permission but their Data Permissions rules don't match a specific record, they still won't see that record.
  • If Data Permissions grant visibility, but the user lacks #VIEW permission for the module/submodule, they still won't see the record.

Data Permissions provide essential security and data segregation within a team.

See also: Data Permissions Explained (How-To) See also: Troubleshooting: User Cannot See Documents/Data