ACL & Admin Overrides

kyren_cooper · ‎03-14-2017

Hello guys,

was wondering if anyone would be able to help me out. I created a role called escalation_admin and I've then since added some ACLs to a field for Write and List_edit which require that role.

I've ensured that Admin override was set to false but when looking at the fields as an Admin they still appear to be changed despite my admin account not having the escalation_admin role I've created and delegated in the ACL. My goal was to restrict this to everyone including admins unless they had the escalation_admin role.

Can I get some guidance on what I'm doing wrong?

Thanks all

Andras Kisgyorg · ‎03-14-2017

Hi Kyren,

This is because admin users pass role checks.

That's why basing your ACL only upon role checks would not be efficient when it comes to managing admins access,

and we have to keep in mind that admins are in control of the platform, they can grant roles to themselves, manage group memberships and ACLs.

Despite that, to make this work for this use case, you need to create an ACL which has additional conditions beyond only role checks.

You may consider creating a group for your escalation admins, and do a group check in your ACL script on top of the role check in the Requires role related list:

answer = gs.getUser().isMemberOf('Escalation Admins');

Hope this helps.

Cheers,

View solution in original post

Harish KM · ‎03-14-2017

can you share the acl screen shot?

Also turn on the debug and check is there any other acl not allowing yours to override

Regards
Harish

kyren_cooper · ‎03-14-2017

Thanks for the quick reply. Screenshot below as requested.

Harish KM · ‎03-14-2017

in script

put answer=true;

if that doesnt work

if(gs.hasRole('rolename'))
{
answer = true;
}
else {
answer = false;
}

Regards
Harish

kyren_cooper · ‎03-14-2017

Hello,

I've attempted that as seen below - and thank you for that, but unfortunately when reviewing as an admin use who doesn't have the role it is still editable.