Anything you wish to achieve through Security processes needs to be planned and documented.
Start from the most elementary level, refine it and then gradually add more complex levels.
Roles are the first level of security. If a Role does not have access to a window, it does not matter if Data Access allows access to the table.
We suggest you create a new Role when experimenting with Security Settings. If the Settings are adequate, you may assign Users to this Role. Keep the defined Roles until a new Tenant is created, but change the password and restrict the access.
If a Role is defined as not allowed to Report or to Export, then the Security specific to the table defined in Data Access is ignored.
A Role needs to have the right to Report in order to have the right to Export.
Security Settings are saved in the Cache Memory. If the settings are changed, you need to log out or to reset the cache.
Only accessible data can be blocked.
Include is the most restrictive access. By deselecting the Exclude checkbox, it is indicated that all records that were specifically not included, are excluded.
If you want to restrict the access to a column to Read Only, you need to check that this is not required somewhere else or that there is an implicit value so that the Users can introduce new records.
Before restricting the access to a solicited field, you need to make sure it has an implicit value.
You may not exclude the access (e.g. not displaying) to solicited fields.
If you want to restrict the access to data that is sensible from the Importance point of view (e.g. Specific Accounts), you need to define the Security Access at Record Level for the specific accounts. Select both the Exclude and the Dependent Entities checkboxes. The Role's Users will not be able to view to Specific Account in the Account Element window. Furthermore, they won't have access to this in the Real Account Balance Sheets,or Details, or be able to select the account in queries or reports.
If you want to define the Record Access Security Rules you need to activate the Record Blocking option.