To remove a Reference record from a Claim object, the Remove object action permission of the Link Target object needs to be enabled.
If the Remove object action permission in Link Target is enabled for a security profile, it gives all the users of this security profile permission to remove the Reference.
Is there a way to provide the Remove permission to Reference for a particular role only in a certain state?
An admin can secure the relationship between the Claim object and Claim Target object and grant the Edit permission only for the particular role in the state.
Let's take the Owner role and the Draft state as an example. The admin needs to use the following steps:
- Navigate to Admin --> Configuration --> Objects --> Claim --> Relationships.
- Click Claims Targets.
- On the Claim field page, click the Edit button.
- Select the Secure relationship option.
- Once the relationship is secured, the admin should be able to see the relationship in the Atomic Security: Relationships section in each state of the Claims Lifecycle (Admin --> Configuration --> Object Lifecycles --> Claims Lifecycle).
- In the Draft state, navigate to the Atomic Security: Relationships section, and change the Default state behavior to Read, add Owner as Edit.
- In all other states, change the Default state behavior to Read in the Atomic Security: Relationships section.
In this way, only the Owner can remove the Reference from the Claim records in the Draft state.
Note: There are some points that must be paid attention to.
- The Remove option is visible for any users if their Security Profile has the Remove action enabled for the Link Target object.
- Except for Owners, the following error occurs if other roles perform the Remove action.
- When the Claim record is in the Approved state and there is only one Reference, the Owner is able to remove the Reference. It reverts the Claim back into the Draft state after removing the Reference.
When the Owner attempts to remove a reference in an Approved Claim with more than two References, the Owner is unable to do so because only the Read permission for Claim Target relationships is granted within an Approved Claim.
When the Owner attempts to remove a reference in an Approved Claim with only one Reference, the Owner is able to do so because removing the last reference in a Claim reverts the Claim back into a Draft state. Since the Owner is given Edit permission for Claim Target relationships within a Claim in a Draft state, the system is using the user's permission for Claim target relationships of Claims in a Draft state to determine if the action is allowed.
Vault Help Documentation: Configuring Atomic Security on Relationships