NOTE: This facility is only available if switched on by the administrator in fAdmin Settings, Data Access Control.

The data returned in a data group may be restricted based on a user's access role or some other value or attribute. This is known as Role Based Access Control (RBAC) or Attribute Based Access Control (ABAC).

The level of restriction may be by row or individual fields in rows. Further options provide data group and DSD level fail-safes to prevent restricted data being returned (for example if a user has no access roles).

Note: The condition must return false, or the user must NOT have the access role, for the value/row to be shown.

When fData gathers data, as each data group is gathered, Data Access Control (DAC) checks against rules set for the data group in the DSD. DAC applies each rule and either clears corresponding field values or removes rows accordingly. Several rules may be set for a data group and all will be checked and applied.

DAC restricts fields and rows in a data group based on either the user’s access role (established at login) or any condition expressed as a function. The function is evaluated immediately after the base data is gathered and any data items have been calculated, so that the condition may be based on values in the row.

Here are some examples of conditions that may be applied:

• Remove all restricted clients from a list for users who have an access role of “Admin”
• Clear the date of birth and age of subjects who are over 18 years old
• Clear the name fields if the subject is aged under 18 and the user’s access role is “Adults”

For each attribute enter a name and more detailed description.

The check that is carried out may be by the user's access role or by evaluating a function.

If “By Role” is checked, a select list will be provided to select the access role required for this condition to be met.

If “By Role” is not checked, a Function Builder entry is provided where you can construct a function to be evaluated. The function must return “true” for the condition to be satisfied.

If the condition is to apply to entire rows check the “Apply To Row” option. Otherwise select the fields to be cleared if the condition is not met.

You can apply as many checks as you wish. The Access Control settings page shows them in a list where you can drag and drop them to alter the sequence in which they are executed. This may be important in order to execute the more likely or quicker checks first, for efficiency.

This is an optional function which is executed once for the data group and if “true”, all of the attributes will be applied as if they failed.

This provides a fail-safe, for example if a user has no access roles set and you want to prevent sensitive data being available to them until a valid access role has been set.

The fAdmin Settings has a high level fail-safe function (DACApplyAll). This has the same effect as the data group setting but is applicable through fData for all DSDs.