Access Control Lists for Items

Enable Access Control

Enable the profile option named Enable Access Control List for Items. By default, this is set to No. Note that:

When you enable the profile option for the first time, you must rebuild the item and structure index after creating permission sets and activating your teams to ensure that data security is applied.
On enabling the profile option, the items continue to honor the existing security settings till you create a permission and permission set.
Once the profile option is enabled and a permission is created for an item, all items in the application will become private, regardless of their current public or private settings. You must manually assign user permissions to these items.
To honor the data security provided by access control lists, run the Refresh Access Control List for Teams scheduled process with the Operation value set to Recreate.

Items can be secured using the access control lists and the functional privileges assigned through Security Console.

Consider that you want to create teams that function as data access groups for users located in the US.

Team 1: Engineering users who can create, delete, and manage all items, but only view commercial items. They can manage all attributes except operational attributes.
Team 2: Data stewards who have permission to view and delete all items in the draft and production lifecycle phases. They can only see the item number for items in the New Age Chips item class, as they hold only the discover permission for this class.
Team 3: Users John and Sam are U.S. based data stewards who can view only those items where the extensible flexfield attribute Location is set to US.

Here’s a table that shows details of the teams created as data access groups:

Team Name	Users and Roles	Permission	Condition	Access Groups
Team 1	Engineering Users	Create	Engineered = Yes	Not Applicable
	Engineering Users	Manage	Engineered = Yes	All attributes except Operational Attributes
	Engineering Users	Delete	Engineered = Yes	Not Applicable
Team 2	Data Stewards	View	Lifecycle phase = Design or Production	All attributes
	Data Stewards	Delete	Lifecycle phase = Design or Production	Not Applicable
	Data Stewards	Discover	Item Class = New Age Chips	Not Applicable
Team 3	John, Sam	View	Location = US	All attributes

Here are some details on permission sets for items:

You can provide access to items conditionally using permissions such as, create, view, manage, discover, and delete.
Using a permission set you can control the visibility of tabs or tables appearing on the item details page, thereby controlling the shape of the item object. This can be done by configuring access to an attribute group or table using the Access To column, where you can specify which tabs are accessible to the user. For example, if a user is granted access only to Basic Attributes, Attachments, and Structure, the user can only see these three tabs, while the others will remain hidden.

The access control list affects the following Global Actions for items:

Save, Save and Close, Change Item Class, and Apply Templates: available only for users with the Manage permission on items.
Delete: available only for users with the Delete permission on items.
The Manage permission with the selection in the Access To column, controls the add, edit, and delete actions within the respective item tabs. Note that the Quality and Changes tabs are read-only.

Here are some guidelines to follow when working with multirow attribute groups.

Use a column with unique values to optimize performance.
Use multirow attributes within the same attribute group in the condition builder for efficient evaluation. Avoid combining multirow attributes from different attribute groups.
Ensure the multirow table contains no more than 20 rows per item instance, as this directly affects performance.
Ensure that no more than five conditions are used to filter a specific item for a single permission (such as View).

For example, consider that you’ve created 5 conditions based on the following extensible flexfield attributes:
- Product Line =AIProduct
- Team= AI Item
- Program= Next Gen Phase1
- Organization= Texas Manufacturing Unit
- Functional Area= Design
All the conditions are associated with the View permission. As a result, the user is granted View access to the item named AI Chip. In this case, it's recommended not to create any other conditions to filter the same item for the same permission.