Access Caveats Configuration
Overview
Access Caveats are security labels that enable controlled access to restricted records containing sensitive information. When a record is marked as "Restricted" (Override Default Access = true), normal role-based permissions are limited, and Access Caveats determine which specialized teams can access the record.
How Access Caveats Work
Basic Flow
- Record Restriction: A user creates a record and selects a 'restricted' Security Classification label
- Caveat Selection: The user selects appropriate Access Caveats based on the sensitive content type
- Access Granting: The system grants access to users whose Role Assignments match the selected caveats
- Permission Enforcement: Only users with matching caveat permissions can view the restricted record
Available Caveat Types
The system provides four predefined Access Caveat types:
| Caveat Type | Purpose | Example Use Case |
|---|---|---|
| Personnel | HR and employment-related sensitive content | Staff disciplinary matters, salary reviews, recruitment decisions |
| Cabinet | Cabinet-related sensitive information | Cabinet submissions, confidential government decisions |
| Legal | Legal and litigation-related content | Legal advice, court proceedings, regulatory matters |
| Freedom of Information | FOI-related sensitive content | FOI requests, privacy assessments, information disclosure decisions |
Each of these groups must be mapped within a 'RoleAssignment' in the Brief Connect admin panel before they can be used.
Configuration Requirements
Prerequisites
Before configuring Access Caveats, ensure you have:
- Administrative access to the Brief Connect system
- Understanding of your organization's security groups and access requirements
Term Store Setup
Access Caveats are managed through the SharePoint Term Store under the "Teams" term set. The standard terms should already be configured:
- Personnel
- Cabinet
- Legal
- Freedom of Information
⚠️ Important: Do not modify these terms without careful consideration of existing Role Assignments and user access.
Role Assignment Configuration
Creating Caveat-Based Role Assignments
To grant access to restricted records with specific caveats, create Role Assignments in the Azure Storage Table with field value filters.
Example Configuration
Scenario: Grant Legal team members access to records with "Legal" caveats.
| Field | Value |
|---|---|
| PartitionKey | [RecordType] or All |
| RowKey | Legal Team Access |
| AADGroupNames | SG-BriefConnect-Legal-Team |
| PermissionSet | StandardUser |
| ForFieldValues | [{"ABCAccessCaveats":"~Legal"}] |
| Organisations | All |
| Stages | All |
Field Value Filter Syntax
[{"ABCAccessCaveats":"~Personnel"}] // Contains Personnel caveat
[{"ABCAccessCaveats":"~Cabinet"}] // Contains Cabinet caveat
[{"ABCAccessCaveats":"~Legal"}] // Contains Legal caveat
[{"ABCAccessCaveats":"~Freedom of Information"}] // Contains FOI caveat
Multiple Caveats: To grant access to records with multiple caveat types:
[{"ABCAccessCaveats":"~Personnel;Cabinet"}] // Contains Personnel OR Cabinet
Testing and Validation
Verification Process
- Create Test Records: Create restricted records with different caveat combinations
- Test User Access: Verify that users in caveat groups can access appropriate records
- Test Restrictions: Confirm that users without caveat access cannot view restricted records
- Document Permissions: Record the expected behavior for future reference
Test Scenarios
| Test Case | Record Setup | Expected Behavior |
|---|---|---|
| Personnel Access | Restricted record with "Personnel" caveat | Personnel team members can access, others cannot |
| Multi-Caveat Access | Restricted record with "Legal" + "Cabinet" caveats | Users with either Legal OR Cabinet access can view |
| No Caveat Match | Restricted record with "Legal" caveat | Users without Legal access cannot view |
| Non-Restricted Record | Standard record (not restricted) | Normal role-based permissions apply |
Troubleshooting
Common Issues
User Cannot Access Restricted Record:
1. Verify the record has a restricted security classification label applied
2. Check that appropriate caveats are selected on the record
3. Confirm user is in the correct Azure Entra ID security group
4. Verify Role Assignment exists with matching caveat filter
5. Check Role Assignment ForFieldValues syntax
Unexpected Access Granted: 1. Review all Role Assignments for the user's groups 2. Check for overly broad caveat filters 3. Verify caveat selection on the record matches expectations