Limiting access to users


I am trying to set up a user, but to allow that user to access items related only to one entity. The situation is that we manage the collection of a smaller institution, and their records are integrated into our database. We can isolate these records from the rest of the items through their entity designation. Is there a way to set up a user, and only allow access to this small component of the entire database?

Thanks in advance for any advice,


Manitoba Sports Hall of Fame & Museum


  • The only way to do that would be to set access control on a record-by-record basis. There's no way currently on restrict access to records on the basis of what entities they're related to.

    What might work is to set all of the smaller institution's records to have a specific type or source, and then set up logins restricted to those types or sources.

  • By Source to you mean Donor? Isn't this an entity too? Not sure what you mean by type - what field is this?

  • No, not donor. Every record can optionally have a single "source" associated with it, and you can restrict access on that if you want. It's not something that is used often, but the intention with it was to support basic partitioning of data within a single database.

  • How do I make this happen?

  • The Link is broken, however i managed to find a page on record-level-access in the new manual, but it does not say anything about the restriction of access on the base of source, as mentioned above. could somebody elaborate?

    What i am looking for ideally, would be a way to restrict access to certain collections and the objects related to it to a specific user-group. But maybe the mentioned source-based restriction could be a workaround..?

    trhanks a lot!

  • I think, I found a way to accomplish that for pawtucket, by

    1. Adding a list item to the list access_statuses
    2. creating a usergroup that should have access to these items
    3. choose "no access" under providence/administrate/access/Roles/Edit/role_id/5 tab: Pawtucket for all other Groups

    But how to achieve the same for users of Providence, that should be able to see objects but not those objects restricted to that usergroup?

  • i think i mean user role, not group

  • hmm i think this is not a solution as the user role appears in so many places. it feels like abusing this feature and bloating the interface in case of many different user groups with specific special access to certain collections and objects. i am waiting for your hints and solutions.🧘‍♀️

  • On the back-end use item-level access control. set perform_item_level_access_checking in app.conf to 1. There'll then appear a new "access" screen in the editors for various records. You can exclude certain kinds of records from item level access control by setting the various <table>_dont_do_item_level_access_control options (if desired). Eg. ca_occurrences_dont_do_item_level_access_control = 1

    To restrict access to a collection go to the collection and set the access controls as requires, restricting the collection to specific users or groups of users. You can also have all objects within the collection inherit these access settings.

    Item level access control can get complicated and is not used that often, in my experience. Give it a try and let me know how it works for you.

Sign In or Register to comment.