OK, so whilst this is already partly working as is, it's come to light that some users can find and access records which they were not meant to. The department who owns the tool have now asked to see if this can be changed to allow all users to search for records across the entire dataset, but if outside of the records to which they have access, the records should be opened as read-only.
Currently, the system has three types of user:
- User - can only see/edit records to which they are a member (records are assigned to teams, so users have to be in the team to see the record);
- Office_Admin - can only see/edit records in their office location (team members have office location stored and the location of the team lead is recorded);
- Sys_Admin - can see/edit everything.
In a recent training course for new users, it came to light that office admins can use the search facility (the tool has a search field provided) and this will find them records which are not in their location and low them access. This does not occur with the 'Users'.
I'll explain how this is set up, so hopefully it will be clear what is going on:
We have an Active Directory group set up for each level of user. In FileMaker Security, there are three External Server accounts, one for each user type and each account is assigned to the appropriate AD group. For each account, there is also an associated Privilege set assigned to it, and for each privilege set, there is an associated Extended Privilege set:
When a user access the layout which displays the records they can see, this is the script that runs (which works without issue):
At the top of the layout is a Find field, and currently Office Admins can find records outside of their allowed set, whilst Users cannot. They would like it that both Office Admins and Users can find records outside of their allowed sets, but these records will be accessible on a read-only basis. As I've mentioned before in my other posts, I did not write this, but support it for the business. I am learning on the job, and whilst I may need to get the external developers back to resolve, always try and find a solution myself before resorting to arranging that. SoIf anything is not clear, or if I can provide any further information, please do not hesitate to ask.