Access Group Rules and the Access Groups Enablement Data Security Policies
On the Explore UI, you can view a user's access to data from both access group rules and data security policies. This topic describes the interaction between access group rules and the policies provided by the Access Groups Enablement duty role.
To receive access to object records through access groups, the following conditions must be met:
-
Users must be assigned the relevant active rules through their access group membership.
-
Users must be assigned the appropriate data security policies provided by the Access Groups Enablement duty role.
These data security policies are required for users to get the access to object data provided through access groups, but they don't provide access to object data themselves.
Users are automatically assigned the Access Groups Enablement duty role through the predefined or custom job roles they're assigned, or through the Resource abstract role. In general, for each object supported for access groups, the Access Groups Enablement duty provides users with data security policies for each access level supported by the object; usually read, update, delete, and full access.
When reviewing information on the Explore UI, keep in mind that although users are assigned the Access Groups Enablement data security policies, they only receive the relevant data access if they're also assigned a corresponding active rule that provides the same access.