Field Level Security

On this page:


The Field Level Security feature provides easy-to-use tools for the PowerSchool Administrator to configure and manage field-level security for PowerSchool SIS Admin and PowerSchool SIS Teacher fields that need to be limited. Users can be granted Full Access, View Only, or No Access to specific fields. It helps accomplish the following goals:

  • Protect PII (Personally Identifiable Information) so that unauthorized users cannot see or access it.
  • Protect data integrity by limiting who can edit specific fields, even though some other users may need to view the information.

Note: For more information about common usage scenarios and provides details on how to use FLS in customizations by utilizing DATs, lists, and conditional statements, see Knowledgebase article 71873.

Page Level Security vs. Field Level Security

Field Level Security is not a substitute for Page Level Security, but rather complementary to it. Users are never given more access than is granted at the page level. For example, if a user has Field Level Security set to "Full Access" on a particular field, but the page is set to "View Only" for that user, then the user will only be granted "View Only" access to the field on that page. Since Page Level Security only affects a single page, it is possible for a user to have full edit access on another page for the same field. There are some pages in PowerSchool that do not enforce FLS. These pages should continue to be secured through Page Level Security where possible:

  • Autosend
  • Import
  • Family Management
  • ReportWorks
  • Reports utilizing the SRP platform.

    Note: The SRP security mechanism can be used to secure these reports.
  • Reports utilizing the Reporting Engine where fields are called without DATs
  • Health

    Note: The health module has feature-level security in the Security Group settings.
  • New Student Enrollment
  • Transfer Out of School/Transfer Student Out

User Access Roles

User Access Roles are required to take advantage of Field Level Security. By themselves, roles are nothing more than a label. It is what you do with a role that gives it meaning in PowerSchool. Roles are very powerful tools allowing you to setup advanced security scenarios when mixed with Security Groups, Page Level Security and FLS. Users can have multiple roles tied to each of their school affiliations accommodating unique security configurations. All security roles are additive, meaning that for any particular setting users are given the highest level of access granted to any of their roles. For example, if a user has a role configured for No Access to the SSN field, but they have another role configured for View Only access, the effective security on SSN will be View Only.

Other Important Notes:

  • It is not recommended to set name fields to No Access. However, it is okay to secure name fields as View Only to prevent editing, but names will not be fully protected from displaying, as they are necessary for PowerSchool to function properly. Additionally, the ^(lastfirst) DAT will not be protected.
  • There are some special purpose pages where users will still be able to view data even if their field access level is set to No Access. System administrators are expected to utilize Page Level Security to restrict access to these pages. For a current list of the specific areas that do not enforce field level security, see Knowledgebase article 71873.
  • Existing tlist_sql tags used in custom pages that do not include the new FLS method tags will not be secured until they are updated with these new keywords. It is advised that you update any tlist_sql tags on custom pages that you need to be secure by FLS. For more information, see Knowledgebase article 71873.
  • Many Student Contacts fields are stored in another table and synced with the Students table (for example, Students.Emerg_Phone_1 is synced with PhoneNumber.PhoneNumberAsEntered). In these cases, the FLS rules for these fields are defined on the source table (PhoneNumber.PhoneNumberAsEntered) and not the synced table. For a complete list of Student Contact fields that are synced from other source tables, see Knowledgebase article 71873.

View Field Level Security

  1. On the start page, choose System under Setup in the main menu. 
  2. Under Security, click Field Level Security. The Field Level Security page displays the following information:

    Note: Click the arrow in the column heading to sort in ascending order. Click again to sort in descending order.

    Field

    Description

    Field Name

    The name of the field.

    Note: For a list of fields that are available to be secured through the Field Level Security system, see Knowledgebase article 72328.

    Table

    The PowerSchool table in which the field resides.

    Field Security

    If a checkmark appears, field level security has been applied to this field. If a checkmark does not appear, field level security has not been applied to this field.

    Actions

    Click to Edit icon to modify field level security for the field. For more information, see Modify Field Level Security.

Modify Field Level Security

  1. On the start page, choose System under Setup in the main menu. 
  2. Under Security, click Field Level Security
  3. Click the Edit icon. 
  4. Use the following table to enter information in the User Access Security section:

    Field

    Description

    Access 

    The level of permission granted to users in this role for the selected field: 

    • Full Access - When a field is set to this setting, the field appears editable. 

    • View Only - When a field is set to this setting, the field appears as read-only. 

    • No Access - When a field is set to this setting, the field appears with asterisks. 

    Roles

    The roles that have been assigned access. 

    Edit

    1. Click the Edit icon to modify roles for a given access level. The Edit Roles pop-up appears. 

    2. Select the checkbox next to each role that you want to assign to the access level. 

    3. Click OK. The Edit Roles pop-up closes. The selected roles(s) appears in the Roles column. 

    Note: A role can only be assigned to one access level. Roles will automatically be removed from any previous access level when added to a new level. 

    Everyone Else 

    The level of permission for everyone else. This setting affects all users that are not added to one of the other security levels for a field even if they do not have role associations. 

    If no roles are configured with security exceptions, this value is automatically set to Full Access. 

  5. Click Submit

Add an Extended Schema Field to Field Level Security

  1. On the start page, choose System under Setup in the main menu. 
  2. Under Security, click Field Level Security
  3. Click Add.
  4. Use the following table to enter information in the fields:

    Field

    Description

    Choose Table

    Choose the extended schema table you want to select fields from the pop-up menu. The Choose Fields field displays all fields for the selected extended schema table.

    Choose Fields

    Select the checkbox next to each field within the extended schema table you want to add to the Field Level Security page.

  5. Click Add Fields

Delete an Extended Schema Field from Field Level Security

  1. On the start page, choose System under Setup in the main menu. 
  2. Under Security, click Field Level Security
  3. Click the Delete icon. 
  4. Click OK