Setup group based access on GRC tablesSummaryIn GRC, a user with role of Risk manager, Compliance manager can view all risks and controls. To provide more segregated data to these users we need to have group based access. Once applications enable this on a table, users will see a new field on the form “groups”. Once a value is selected in this field, instead of all risk managers and compliance managers, only those managers who are member of the groups mentioned will continue to have read access on data. This feature is controlled by a property "sn_grc.enable_groups_access". GRC admins will have to enable this property to enable this feature from GRC Properties module. This way customers can bifurcate / segregate data based on groups within same role. Customers can choose add this feature to their custom tables by doing the below additional configuration.InstructionsStep 1: Dictionary changes Create a column in the table you want to implement this feature. Please note the column should be created in the same scope as that of the table.The type of the column should be list.In the "Reference Specification" section, select Group(sys_user_group) as the reference.In the Reference qual condition, select the roles that the access group users should have. For example, if you want the data segregation for risk managers, select the role as "sn_risk.manager". Step2: Form configuration Configure the "Access groups" field on the form. Navigate to the table for which you want to implement the feature.From the related links, click on "Design form".Drag and drop the access groups field on the form. Step3: Business rules Create a business rule on the table you want to implement this feature. This business to store the "sn_grc.enable_groups_access" property value in a g_scratchpad variable. The "Advanced" flag should be true on the business rule.The "When" field should be "display".In the "Advanced" section, add the below script g_scratchpad.isGroupAccessEnabled = gs.getProperty('sn_grc.enable_groups_access') == 'true'; Step4: UI policies Create a UI policy on the table on which you are enabling this feature. This policy will hide the "Access groups" field if the property "sn_grc.enable_groups_access" is false. Keep the default fields in the "When to apply" section on UI policy as is.The "Run scripts in UI type" field on the UI policy has to be set to "All".Goto "Script" section and mark the "Run scripts" flag as true. Once you select the flag, you will see "Execute if true" field. Add the below code in “Execute if true” script. function onCondition() { if (!g_scratchpad.isGroupAccessEnabled) { g_form.setDisplay('u_access_groups', false); } } Note: You have to replace with the column_name "u_access_groups" with the column name that you have created in the table. Step5: ACL a) The user groups feature will be useful only if you have tighter ACLs on your tables. If have an ACL which gives access to risk users to risk records, then tightening the security for managers will not be eective as the risk users themselves are able to view the risks. Make sure you have tighter ACLs on your table. Write a new read ACL on the table as below: answer = true; if(gs.getProperty("sn_grc.enable_groups_access") == "true"){ var groups = current.getValue('access_groups'); answer = answer && (gs.nil(groups) || !gs.nil(groups) && new sn_grc.GRCSecurityManager().isUserMemberOfGroup(groups)); } b) If a table has both confidentiality and user group feature enabled, the confidentiality takes preference. And the script in the above acl should be : answer = new sn_grc.GRCSecurityManager().shouldCheckExistingACL(current); if(gs.getProperty("sn_grc.enable_groups_access") == "true"){ var groups = current.getValue('access_groups'); answer = answer && (gs.nil(groups) || !gs.nil(groups) && new sn_grc.GRCSecurityManager().isUserMemberOfGroup(groups)); } c) Write and delete ACL Add current.canRead() condition in all the write and delete ACLs on your table. Step6: UI Actions Add current.canRead() condition check on all the UI actions you have written on your tables. Example: