Skip to content

Configuration Scope: Exportable

This setting is included in configuration exports and will be the same across all environments once the config file is imported.

Version Requirement

This feature is available in Brief Connect v2.3.0 and later.

Controlling Record Creation Permissions

Overview

By default, all Brief Connect users who are members of the "All Users" Azure Entra ID group can create records of any type. However, you may want to restrict record creation to specific users or control which record types different users can create.

The Can Create Record permission provides granular control over:

  • Who can create records (all users, specific users, specific Azure Entra ID groups)
  • Which record types they can create (all types or specific types)

This ensures record creation is limited to authorised users and aligns with organisational security and governance requirements.

How Record Creation Permissions Work

Record creation permissions are controlled through two components:

  1. Permission Sets - Define the canCreateRecord permission
  2. Role Assignments - Specify who gets the permission and which record types it applies to

Permission Hierarchy

The system evaluates record creation permissions as follows:

  1. Is the user a System Administrator? → Can create all record types
  2. Does the user have a Permission Set with canCreateRecord enabled via a Role Assignment? → Can create the specified record types
  3. Otherwise → Cannot create any records

Best Practice: Use Azure Entra ID Groups

Instead of assigning permissions to individual users, create Azure Entra ID security groups (e.g., "BC - Cabinet Submissions - Authors") and assign permissions to those groups. This makes permission management much easier as you can control access by simply adding or removing users from the group.

Configuration Steps

Step 1: Create a Permission Set with Record Creation Enabled

  1. Navigate to the Admin Panel (/#/adminPanel)
  2. Go to the Permission Sets tab
  3. Click Add Permission Set
  4. Give your permission set a meaningful name (e.g., "Author - Can Create")
  5. Enable the Can Create Record checkbox
  6. Enable any additional permissions users should have when creating records (e.g., "View Record", "Edit Record Metadata")
  7. Click Save

Example Permission Set

Additional Permissions Required

The canCreateRecord permission only controls whether users can initiate the record creation wizard. You'll typically also want to enable permissions like "View Record" and "Edit Record Metadata" so users can complete the record creation process and work with their records. You can do this in the same Permission Set, or stack multiple Permission Sets together to grant the access required.

Step 2: Create a Role Assignment to Grant the Permission

  1. In the Admin Panel, go to the Role Assignments tab
  2. Click Add Assignment
  3. Configure the assignment:

Content Type Scope

  • All - Users can create records of any type
  • Specific Record Type (e.g., "Cabinet Submission") - Users can only create records of this type

Unique Identifier and Description

  • Unique Identifier: A meaningful name (e.g., "Cabinet-Submissions-Authors-Can-Create")
  • Description: Explain the purpose (e.g., "Allows Cabinet Policy team to create Cabinet Submission records")

Permission Set

  • Select the Permission Set you created in Step 1 with canCreateRecord enabled

Who Gets the Permission

Choose one or more targeting options:

  • Public Access: All Brief Connect users can create these records
  • User ID: Specific users by Graph User ID or UPN
  • AAD Group Name: Azure Entra ID security groups (recommended)
  • Record Role Names: ⚠️ Not applicable for record creation (roles only exist on existing records)

Record Roles Don't Apply

The Record Role Names field is not used for record creation permissions since roles only exist on records that have already been created. Leave this field empty when configuring record creation permissions.

Additional Filtering (Optional)

For record creation permissions, the following fields are ignored and can be left empty:

  • Organisation: Not applicable for record creation
  • Stage: Not applicable for record creation
  • Field conditions: Not applicable for record creation

These fields only apply to permissions on existing records.

  1. Click Save

Common Scenarios

Scenario 1: Allow All Users to Create Any Record Type (Default Behavior)

To maintain the default Brief Connect behavior where all users can create any record type:

  1. Create a Permission Set with canCreateRecord enabled
  2. Create a Role Assignment:
  3. Content Type Scope: All
  4. Permission Set: Your permission set with canCreateRecord
  5. Public Access: Enabled
  6. User ID: (empty)
  7. AAD Group Name: (empty)

Scenario 2: Restrict Record Creation to Specific Azure Entra ID Groups

To allow only specific groups to create any record type:

  1. Create a Permission Set with canCreateRecord enabled
  2. Create a Role Assignment:
  3. Content Type Scope: All
  4. Permission Set: Your permission set with canCreateRecord
  5. Public Access: Disabled
  6. AAD Group Name: BC - Record Authors (or your group name)

Scenario 3: Different Groups Can Create Different Record Types

To allow different teams to create different record types:

For Cabinet Submissions:

  1. Create a Permission Set with canCreateRecord enabled (e.g., "Author - Cabinet")
  2. Create a Role Assignment:
  3. Content Type Scope: Cabinet Submission
  4. Permission Set: Author - Cabinet
  5. AAD Group Name: BC - Cabinet Policy Team

For Ministerial Correspondence:

  1. Create a Permission Set with canCreateRecord enabled (e.g., "Author - Correspondence")
  2. Create a Role Assignment:
  3. Content Type Scope: Ministerial Correspondence
  4. Permission Set: Author - Correspondence
  5. AAD Group Name: BC - Correspondence Team

Scenario 4: Specific Users Can Create Specific Record Types

To allow named individuals to create specific record types:

  1. Create a Permission Set with canCreateRecord enabled
  2. Create a Role Assignment:
  3. Content Type Scope: Cabinet Submission
  4. Permission Set: Your permission set with canCreateRecord
  5. User ID: john.smith@agency.gov.au, jane.doe@agency.gov.au

User Experience

When a User Has Permission

  • The Create Record button appears on the dashboard
  • When clicked, they see only the record types they have permission to create
  • They can complete the record creation wizard

When a User Lacks Permission

  • The Create Record button is hidden on the dashboard
  • If they try to access the create record URL directly, they receive an "Access Denied" error

Troubleshooting

Users Can't Create Records

Check the following:

  1. Are they members of the "All Users" Azure Entra ID group?

  2. Without this, they can't access Brief Connect at all

  3. Do they have a Permission Set with canCreateRecord enabled?

  4. Navigate to Admin Panel → Permission Sets

  5. Verify a permission set exists with this permission enabled

  6. Do they have a Role Assignment granting them that Permission Set?

  7. Navigate to Admin Panel → Role Assignments

  8. Verify a role assignment exists that:

    • Uses the permission set with canCreateRecord
    • Targets the user (via Public Access, User ID, or AAD Group Name)
    • Has the correct Content Type Scope for the record type they want to create

  9. Are they in the correct Azure Entra ID group?

  10. If using AAD Group Name targeting, verify the user is a member of that security group

  11. Check Entra ID to confirm group membership

  12. Has the permissions cache been refreshed?

  13. Permissions are cached for performance
  14. Users may need to sign out and sign back in for changes to take effect
  15. System Administrators can check the user's effective permissions using the Admin Panel

Users Can Create Too Many Record Types

If users can create record types they shouldn't be able to:

  1. Check for overly broad Role Assignments

  2. Look for assignments with Content Type Scope = "All" that are too broadly targeted

  3. Are they System Administrators?

  4. System Administrators automatically have permission to create all record types
  5. Check Admin Panel → Administrator Access or the AdminEntraId environment variable

Changes Not Taking Effect

  • Users may need to sign out and sign back in for permission changes to take effect
  • The permissions cache is refreshed when users authenticate
  • For immediate testing, open an incognito/private browser window

Configuration Guides

Advanced Topics