I’ve filed this with support, but curious if anyone else has seen calculations like sum getting around privacy rules.
I have a privacy rule on a table that allows the items to be found via search but there are no fields set to view access.
Despite this, I can see that users are able to see data that is summed from values coming from this table. See the debug below where the privacy rules are clearly in place, no “Amounts” are found as expected, however the sum function is returning the value for those amounts.
Privacy Rules don’t apply to aggregate searches, you can only stop this by unchecking Find this in searches. It’s not granular like privacy rules are, it’s all-or-nothing. What I would recommend is:
unchecking Find this in searches
using a backend workflow to calculate whatever you need using a search, and then toggling Ignore Privacy Rules on that backend workflow (still set appropriate conditions on that backend workflow)
retrieving the final result from your database
This way everything is being calculated behind-the-scenes on your backend.
Interesting - thanks for the info. I’m yet to receive any explanation from support.
In my use case I need the user to be able to find the items via search so the backend workflow they kick off can update them, however I do not need or want the user to be able to see all the fields associated with the item.
I am using role-based permissions where a user can create/update an item, but not see the details of said item, or the user can create/update/view the item. This is where the issue comes into play.
I have a workaround for now, but it seems incorrect to me that any piece of something limited by a privacy rule can be seen in aggregation.
I have other calculations that return a sum based on grouping that correctly do not show so it does appear it is purely related to using sum or similar aggregation of a field.
Closing the loop here and confirming what has largely already been said. My response from support is below:
“To provide some context, if you use aggregation operators like :count or :sum with a Do a search for, the individual items from the search don’t need to be retrieved as the operations would be folded into the search. Since the items can be found in the search, the sum would be calculated without exposing the data from the search itself.”
I then replied for my specific use case related to the sum value actually needing to be protected and received the following:
"I would like to note that aggregate searches, such as :count and :sum, are performed server side, so the actual values of the fields aren’t exposed to the client.
For example, if you were to perform the search in a repeating group and then use the repeating group’s data source with the :sum expression, the sum would be 0."
So again, ultimately working as designed, but not ideal for my use case in which I care about the sum not showing to the user who doesn’t have permission. I have a workaround using some table filtering and conditionals to resolve it.