How to create Dynamic Access Control (DAC) security based on an Object that has different object field names without duplicating the User Role Setup (URS) object fields for it?
An Object can be referenced in multiple Objects' object fields with different names. (Example: the object Drug Product is referenced as drug_product__rim in the Content Plan object and impacted_product__rim in the Activities object).
When an object field is configured in the User Role Setup object, Vault matches this field from the URS with a field from the object to build security. When activating Matching Sharing Rules on the Object, Vault indicates which field would be calling from the Object.
When Matching Sharing Settings are activated in an Object not referenced directly in the URS (but that has one of its object fields for an Object also referenced in a URS object field), the Sharing Rule is done by the name of the object field, not the label. If the name of the URS does not correspond to the name.
When creating a security model with Dynamic Access Control, the situation described at the beginning would be a problem for the creation of Sharing Rules. Since a User Role Setup record restricts objects/documents by its route name, two separate records need to be created, adding to complexity and maintenance. To work around this issue, follow the steps:
- Locate the Objects with object fields that reference the object to create DAC security around.
- Create a hidden object field with for all Objects. Give the same name to this field.
- Use Set Default Value tokens to default the value of the field to the conflicting object field.
- Create DAC based on this object field.
- Vault Access Control Documentation: About Dynamic Access Control for Objects
- KB Article: How to Setup Dynamic Access Control on a Document in a Vault Lifecycle? (video)