Method to create specific permission set for record dependent on field value

I have a request from a staff member here at the museum to better control access to records that are for type specimens. In essence, the permissions for those records would be different than the rest based on the value within a field. As far as I can gather, there is no method within the permission system that would allow for this, however am asking here in case anyone has any ideas or has had any similar requests?

One thing that I was thinking was perhaps setting up a cron job to get the last modified date through the API for those records once a week, and then alert the collection if any have been altered?

Hi Mark,

This is an interesting topic. It is not entirely clear what you are trying to accomplish though. The first paragraph seemed to be clear but the second paragraph seems to either confuse the first or describes a second need. Can you clarify?

Potential topics:

  1. Restrict access to entire records based on permissions.
    I think Support@Specify has previously indicated that this is not possible at this time. For this you would have to set up Specify Web Portals with a limited set of information.

  2. Show records but restrict access to specific-fields on the record based on permissions. For this you would have to set up Specify Web Portals with a limited set of information.
    I think Support@Specify has previously indicated that this is not possible at this time

  3. How to track if records have been modified within a week and notify the stakeholders.
    Your API idea is great for this!

I hope this helps!


Hi Matthew,

Apologies, I could have been more clear! Point 1 of your response is the answer to my question, within Specify 7 was looking for a way to scope permissions for particular records differently than the rest but understand that this is not built into the permission system at the moment.

My second paragraph was thinking out loud about the next best solution. Absent a way to prevent the modifications, monitoring for modifications seems like a good approach.

Could you limit these users-in-question READ-ONLY access? This works unless you need them to be able to edit some fields.

Unfortunately, the collection would like other staff to be able to edit records with the exception of the types, so blanket read-only was something considered but not selected as a feasible option.

What about moving the types-records into a separate DB only accessible by the admins? You could then delete the types-records from the main DB.

This would totally work, and again another option that was presented and discussed. My main consideration is that this would then create additional burden on export workflows. Instead of being able to export the whole collection as a single DwCA or publish to RSS, there would then be two separate processes to manage.

Maybe there is some way to do this… have you seen the auth_permission table? Here are the options:

Can add session
Can change session
Can delete session
Can view session
Can add content type
Can change content type
Can delete content type
Can view content type
Can add permission
Can change permission
Can delete permission
Can view permission
Can add group
Can change group
Can delete group
Can view group
Can add accession
Can change accession
Can delete accession
Can view accession
Can add accessionagent
Can change accessionagent
Can delete accessionagent
Can view accessionagent
Can add accessionattachment
Can change accessionattachment
Can delete accessionattachment
Can view accessionattachment
Can add accessionauthorization
Can change accessionauthorization
Can delete accessionauthorization
Can view accessionauthorization
Can add accessioncitation
Can change accessioncitation
Can delete accessioncitation
Can view accessioncitation
Can add address
Can change address
Can delete address
Can view address
Can add addressofrecord
Can change addressofrecord
Can delete addressofrecord
Can view addressofrecord
Can add agent
Can change agent
Can delete agent
Can view agent
Can add agentattachment
Can change agentattachment
Can delete agentattachment
Can view agentattachment
Can add agentgeography
Can change agentgeography
Can delete agentgeography
Can view agentgeography
Can add agentidentifier
Can change agentidentifier
Can delete agentidentifier
Can view agentidentifier
Can add agentspecialty
Can change agentspecialty
Can delete agentspecialty
Can view agentspecialty
Can add agentvariant
Can change agentvariant
Can delete agentvariant
Can view agentvariant
Can add appraisal
Can change appraisal
Can delete appraisal
Can view appraisal
Can add attachment
Can change attachment
Can delete attachment
Can view attachment
Can add attachmentimageattribute
Can change attachmentimageattribute
Can delete attachmentimageattribute
Can view attachmentimageattribute
Can add attachmentmetadata
Can change attachmentmetadata
Can delete attachmentmetadata
Can view attachmentmetadata
Can add attachmenttag
Can change attachmenttag
Can delete attachmenttag
Can view attachmenttag
Can add attributedef
Can change attributedef
Can delete attributedef
Can view attributedef
Can add author
Can change author
Can delete author
Can view author
Can add autonumberingscheme
Can change autonumberingscheme
Can delete autonumberingscheme
Can view autonumberingscheme

I am looking for a way to hack this in, but am thinking it is even more work than properly implementing permissions at a field level . Hopefully Support@Specify can give us more ideas.