Record Level Access System to easily add and remove user privileges
I was asked to build an internal employee database which will store basic employee, goals, reviews, and include a bonus calculator. The information is sensitive and I was asked to build the system then have the the finance department reset the admin password so even I will not be able to see all records. I can understand as the bonus calculator will have employees salaries, which is sensitive data. I am running FileMaker Server and have it bound to AD, so I believe I can create AD groups that will allow me to add and remove access without actually accessing the records in the database.
I have attached a screen shot of the access levels and number of records for each department. I believe the proper way to limit access to the records is by using calculations in the security panel. All users will log into the system using their AD username and password, and I can create a calculation that if the user logins match the employee name_first and name_last they can see their own record. Is their any way to tag on an additional parameter in the calculation to also check if they are department A's manager, they can see all of department A's employee records?