This feature supports large or global implementations of Dynamic Access Control, specifically where an organization wants to delegate maintenance of User Role Setup records to local users. In organizations without this setup, we recommend using Dynamic Access Control and Matching Sharing Rules without User Role Constraints.

User role constraints are a way to prevent accidentally assigning a user an incorrect role on a document or object. The User Role Constraint object restricts role assignments by defining a list of roles allowed for a user. Users are allowed, but not automatically assigned, these roles.

How to Enable User Role Constraints

The User Role Constraints feature can be enabled in one of two ways, depending on the scope in which you need to use it:

  • The Enable user role constraints setting in Admin > Settings > Security Settings turns this feature on for the whole Vault. As of the 20R3.5 release, if this setting is disabled in your Vault, you will not be able to re-enable it. Any future enablement for the User Role Constraints feature must be performed with the Enforce Role Constraints field as described below.
  • To enable User Role Constraints on a role-by-role basis, set the Enforce Role Constraints field value to Yes on each relevant Application Role record. Note that you cannot set this field to Yes if there are active User Role records for the Application Role.

Once enabled, no users will be able to create User Role Setup records for an application role until User Role Constraint records exist for that application role.

How to Configure User Role Constraints

  1. Navigate to Business Admin > Objects > User Role Constraints.
  2. Click Create.
  3. Select a User and a Role that the user is allowed.
  4. Click Save.
  5. You will need to create additional records for each allowable user and role combination.

Impact on the User Role Setup Object

After creating a User Role Constraint record, you can only save User Role Setup records that have user/role combinations included in User Role Constraint records. If a role or user is invalid, you will receive an “Error saving ‘User Role Setup’” error. This error means that this user/role combination is not allowed by the User Role Constraint(s) related to that user.

Deleting a User Role Constraint

If a User Role Constraint record is deleted, any User Role Setup record with the same user and role combination is set to Inactive.