my problem is that my users can edit the "ChangePasswordOnFirstLogon" of other useres.
Try this in your SecurityDemo:
- Enable Read,Navigate for the User-Object to all users
- Users are allowed to modify the members ChangePasswordOnFirstLogon; StoredPassword of their OWN user-Record
With the attached security setting, all useres can edit ALL other users.
It looks like MemberPermission is not combined with the object permission.
Thank you for your question. Unfortunately, the combination of object and member permissions is not supported. The new security system has additive permissions, so if you grant access to specific objects
by creating an object-level permission (with a criterion), you cannot deny access to specific members by creating a member-level permission.
The SecurityStrategyComplex class allows you to grant an operation to all objects of some type (Type Permission), or to objects that satisfy a criteria (Object Permission), or to a member of any object (Member Criteria). At this time, other configurations are not implemented. Adjusted permissions can be declared in any combination: we have implemented the 'additive' approach, so with each added permission an end-user will be granted to do more operations.
With this functionality, you can grant the 'Write' operation by a criteria, so an end-user will be granted to edit any property of any object that satisfies the criteria.
Alternatively, you can grant the 'Write' operation to desired members, so an end-user will be granted to modify these members of any object.
It seems that our documentation doesn't describe this functionality in a clear and precise way, and we will see how to improve it.
Is your intention to post an answer to your own question?
- If so, then proceed.
- If you simply wanted to post additional information, ask for further clarification, or to just say "Thanks!", please click Leave a Comment.
- If you wish to edit your original question, please use the Edit button in the Toolbox at the top right corner of that entry.