The following rules must be followed when changing roles, access groups, and security rules.
Access Groups
-
Do not remove the delivered access groups.
-
Existing access groups can be removed or replaced on delivered methods, entry points, and relationships.
-
Do not remove existing access groups from delivered roles.
-
-
Custom relationships, methods, and entry points require a custom access group.
Roles
-
Existing roles can be extended with custom access groups. However, you must not remove existing access groups.
-
New roles can be created with any mix of existing or new access groups.
Security Rules
-
Security rules provide conditional access to data items by access group and can be freely edited.
Security rules can have a major impact on system performance and the delivered security
rules have been configured to improve system performance by moving some relationships
to object properties. Any customized rules will not benefit from these improvements
so don't create complex rules that lead to queries with a large number of ORs or JOINs.