The CreatorCon Call for Content is officially open! Get started here.

ACL & Admin Overrides

Go to solution
kyren_cooper
Kilo Expert

‎03-14-2017 03:12 AM

Hello guys,

was wondering if anyone would be able to help me out. I created a role called escalation_admin and I've then since added some ACLs to a field for Write and List_edit which require that role.

I've ensured that Admin override was set to false but when looking at the fields as an Admin they still appear to be changed despite my admin account not having the escalation_admin role I've created and delegated in the ACL. My goal was to restrict this to everyone including admins unless they had the escalation_admin role.

Can I get some guidance on what I'm doing wrong?

Thanks all

find_real_file.png

find_real_file.png

Preview file
11 KB
Preview file
103 KB
0 Helpfuls
  • 5,529 Views
1 ACCEPTED SOLUTION

Go to solution
Andras Kisgyorg
Kilo Guru
In response to kyren_cooper

‎03-14-2017 04:29 AM

Hi Kyren,



This is because admin users pass role checks.


That's why basing your ACL only upon role checks would not be efficient when it comes to managing admins access,


and we have to keep in mind that admins are in control of the platform, they can grant roles to themselves, manage group memberships and ACLs.



Despite that, to make this work for this use case, you need to create an ACL which has additional conditions beyond only role checks.


You may consider creating a group for your escalation admins, and do a group check in your ACL script on top of the role check in the Requires role related list:



answer = gs.getUser().isMemberOf('Escalation Admins');


Hope this helps.


Cheers,


View solution in original post

8 REPLIES 8

Go to solution
Andras Kisgyorg
Kilo Guru
In response to kyren_cooper

‎03-14-2017 04:29 AM

Hi Kyren,



This is because admin users pass role checks.


That's why basing your ACL only upon role checks would not be efficient when it comes to managing admins access,


and we have to keep in mind that admins are in control of the platform, they can grant roles to themselves, manage group memberships and ACLs.



Despite that, to make this work for this use case, you need to create an ACL which has additional conditions beyond only role checks.


You may consider creating a group for your escalation admins, and do a group check in your ACL script on top of the role check in the Requires role related list:



answer = gs.getUser().isMemberOf('Escalation Admins');


Hope this helps.


Cheers,


Go to solution
kyren_cooper
Kilo Expert
In response to Andras Kisgyorg

‎03-14-2017 04:40 AM

Hero!



With a combination of both your help this has worked! The script used is at the bottom. When testing using an Admin account the following is now read only.



find_real_file.png



Many thanks to the two of you!



if (gs.getUser().isMemberOf('Escalation Admins'))


  {


  answer = true;


}


else {


  answer = false;


}


Preview file
10 KB

Go to solution
Rishi18
Kilo Expert

‎07-05-2017 03:37 AM

Just wondering what's the use of "admin overrides" checkbox if admin will override whether it is true or false?


0 Helpfuls

Go to solution
kyren_cooper
Kilo Expert
In response to Rishi18

‎07-05-2017 03:41 AM

Something I was also wondering at the time! if/when someone finds out the purpose of an "Admin Override" check box within ACL's please let us know!


0 Helpfuls