Blocks roles and security access level settings
Sometimes, not everyone who should access a Block should see everything in the block. Perhaps a few tabs are for administrators only. Or end users should only see the information they enter themselves, and not see what has been entered by others. With a paid plan on GraceBlocks, this and more is possible by leveraging Block roles and security access level settings. When a builder adds a user to a Block, they will their Block role. This role is specific to that Block. (A user might have one role in one Block A, and a different role assigned in Block B.) The system will behave for each user according to their assigned role in that Block. This article covers the following:
Block roles
This visual below illustrates Block roles and their relationship to one another. To review how to apply a Block role to a user, see managing block users.
General: This is the most basic role available. This is the default role a user is assigned when added to a Block, but the builder can choose to give the user an increased access level role.*
Level 1*: This role grants the first level of security and inherits the rights granted to General users.
Level 2*: This role grants the second level of security and also inherits the rights granted to Level 1 users.
Builders: In addition to their building capabilities, builders are granted security access always at the highest level (Level 2).
* 🔔 Role assignment of Level 1/Level 2, while possible on the free plan, is only meaningful when combined with the security settings outlined below in this article. Security settings become editable only when using the Pro plan.
Security access level settings
For each tab inside a Block, builders have access to a list of security access level settings. The default access level for each setting is General. This means General users have access to everything by default. However, for Zones on a paid plan, it is possible to increase the level a user must have to access the capability defined by the setting. For each setting, the options are General, Level 1, or Level 2. The table below lists all of the settings found for each tab. To find these settings, as a builder
- Select a tab inside a Block and click to edit tab settings (see managing tabs),
- Scroll to the bottom of the modal window
- Toggle on "Show user access security."
This will allow the builder to see and change the security access level settings.
🔔 You must be on the Pro plan to designate levels Level 1 or Level 2.
The table below explains each setting and what it controls.
| Setting name | Description | Scenarios/Examples |
| View tab and my records | Controls access to the tab for users. When granted this access, the user can see the tab, and they can see records they have created or records where they are an assigned collaborator using the collaborator field type, or a lookup of a collaborator field type. | If you want to hide a tab from specific users of a Block, Grant the user General access and then put this setting to Level 1 or higher for access. In this case, Users of the General role for the Block will not see the tab. |
| View records without restriction | Controls which users can view all records of a tab. When granted access, the user is able to view every single record in the tab. |
Let's say you let employees track their personal quarterly goals. Employees and their managers only should see the employee's goal. To do this, you would first create a collaborator field for the Manager. Employees would indicate their manager in this field as a collaborator. Then you can set employees and managers to the General role in the block and Administrators to Level 1 access. By setting View tab and my records at General and View records without restriction at Level 1, they will only see the records they create or where they are the assigned manager. However, Administrators, if granted Level 1 access, will be able to view all goals entered. This setting must be equal or higher than what is set for the View tab and my records setting. |
| Add new record | Controls which users are able to add a brand new record to the tab. When granted access, users can add new records to the tab using all options available while logged into GraceBlocks. | If users should only review records but not add new ones, this setting can be set to a higher level, such as Level 2. Doing so would block any General and Level 1 users from accessing the add new record option within the block. (Any external web forms would still be accessible if published for people to access. They are not controlled by this setting.) |
| Allow collaborator record editing |
Controls if collaborators are able to edit records where they are associated in the tab. When granted access, users can edit records where they are an assigned collaborator. 🔔 A user can always edit records they have created in a tab regardless of whether their security level meets this setting's prescription. |
Generally, this setting should follow the same security level access granted for the setting: View tab and my records. That means users can edit the records they can view because they are collaborators. For example, if you put this setting to Level 1, you can let individual employees have General access to only edit their personal goals while their managers can be given Level 1 access to be able to edit the records where they are the assigned Manager. |
| Edit any record | Controls which users can edit all records of a tab. When granted access, the user is able to edit every single record in the tab. |
Generally, this setting will often follow the same security access level for the setting: View records without restriction. It would users of this security level to view and edit all records. For example, if you put this setting to level 2, you can have only administrators see all records in the tab, while all other users are set to either General or Level 1 access and only either view or edit records where they are assigned collaborators or the original creator of the record. This setting must be equal or higher than what is set for the Allow collaborator record editing setting. |
|
Share records |
Controls access to the share feature on the tab. When granted access, the user is able to share records with people who are not necessarily users of GraceBlocks. | If you want to limit who can share records, use this security access control option to lock it down. For example, if set to Level 2, only those users with level 2 access will be able to use the share function in the tab. |
|
Download records |
Controls access to the download feature on the tab. When granted access, the user is able to download .csv files of the records they are able to access in the tab. | If you want to limit who can download records, use this security access control option to lock it down. For example, if set to Level 2, only those users with level 2 access will be able to use the download function in the tab. |
|
Print records |
Controls access to the print feature on the tab. When granted access, the user is able to print records they are able to access in the tab. | If you want to limit who can print records, use this security access control option to lock it down. For example, if set to Level 2, only those users with level 2 access will be able to use the print function in the tab. |
|
Delete records |
Controls access to the remove records feature on the tab. When granted access, the user is able to delete records they are able to access in the tab. | If you want to limit who can delete records, use this security access control option to lock it down. For example, if set to Level 2, only those users with level 2 access will be able to use the remove records function in the tab. |
|
Access spreadsheet view |
Controls access to the spreadsheet view feature on the tab. This view is where most features related to building can occur. It's also the view that supports easily mass updating data. When granted access, the user is able to access and use spreadsheet view. |
You might want to limit who can access spreadsheet view for a few reasons: 1) Quick view loads faster 2) Quick view's first column is the record identifier and is locked as you scroll horizontally, which helps understand which record you are working with 3) Having fewer options for viewing data simplifies the user experience. 4) Users with spreadsheet view are able to apply mass edits via spreadsheet actions like copy/paste and dragging down cell records. If you are concerned the average user may accidentally corrupt your data, it is worth limiting access to this view. To lock down access, for example, set access here to Level 2. then only those users with level 2 access will be able to use the spreadsheet view function in the tab. |
|
View private fields |
Controls access to any field that has been designated as private. When granted access, the user is view the private field and work with it as they are able to with any other field associated with the record. |
If you want to limit can access to sensitive information about a record, use this security access control option to lock it down. For example, if set to Level 2, only those users with level 2 access will be able to view, filter, export, or edit the data stored in this field. 🔔 If a Builder creates a public bookmark where data is filtered or sorted bookmark using a private field, the bookmark will still apply criteria using the private field for all users, regardless of the user's access to the private field. The field will not display but the filter using the field will be applied. |
|
Allow unmasking of masked fields |
Controls access to the ability to unmask any masked field in the tab. When granted, the user will be able to unmask any field of the masked field type in the tab. |
If you want to control who can unmask masked fields, use this security access control option to lock it down. For example, if set to Level 2, only those users with level 2 access will be able to unmask the field of the masked field type that is configured directly into the tab. |
Relational field control and security options
The security defined on the tab, combined with the user's role, will impact the options a user will see when interacting with a relational field. For example, let's say you are working with job requisitions and they have been set so that General access level users can only see job requisitions that they either create or are a collaborator. The General user may also be limited from viewing and selecting requisitions where they are not a collaborator when interacting with this data as a relational field. This behavior is controlled by the relational field configuration set by the Builder.
Learn more here: Field type: relational.