Record access policy templates

Overview

Record access policy templates are policies with a pre-configured set of rules that enforce data access controls for a specific use case. They are provided by Skedulo in the web app and allow administrators to quickly create a new policy for a common business requirement without having to manually create each rule. Basing a new policy off a template can help to ensure that the rules have adequate coverage and the correct structure, but extensive testing in a non-production environment is always required before new or updated policies are enabled.

Policy template: Data isolation by region

The Data isolation by region template can be used to create a policy that enforces isolation of your Skedulo data by region, where users can only see data records (such as Jobs, Resources, etc.) that belong to the region or regions with which they are associated. The policy looks at the region associated with each job, account, resource, or other objects to be returned for a given request and filters out those with a region that is not associated with the current user.

Use the Data isolation by region policy in your team

You can use the Data isolation by region policy by creating a policy from the template.

The Data isolation by region policy limits data access to users based on the region that is assigned to them. It requires that all users to whom the policy applies (all non-administrator users) are associated with one or more regions in their user record (see below for how to do this). If non-administrator users are not assigned to a region, they will not see any region-based data at all and will not be able to use the Skedulo web app.

A list of regions can be assigned to any user, regardless of their role. If a user is a resource, the Data isolation by region policy takes their primary and secondary regions into account. As a result, resources generally don’t need to have a region assigned to their user as well.

Associate users with regions

The ability to associate a user with a region is controlled by an admin setting in the web app. This configuration must be done before the User region field will appear in user records.

To enable the use of user regions, do the following:

  • In Settings > General > Users, click to select Show the User regions field on user editing screens.

To associate a user with one or more regions, do the following:

  1. In Settings > Users, click the user to open the Users page.
  2. Click the User regions dropdown and select one or more regions to assign to the user.
  3. To save the changes, click Save. To leave the page without assigning regions, click Cancel.

For more information on how to edit users, see the documentation on user administration.

What is region-based data?

Skedulo allows for customization of the objects and fields in each team, so you will need to examine the data schema for your team to make sure that all object types that have a Regions field or a lookup to Regions is accounted for in your testing.