ACL for a specific role

Karthi Nagul
Tera Contributor

‎01-14-2020 01:42 AM

Hi guys,

I have a task to not allow process users to change their first name and last name on the user form. Process users have only got permission to write to the time zone and data format fields. I have mentioned what I have create below but the problem I am seeing is that users who extend  from the "user_admin" role can still make the write operations, which I do not want (roles which are contained by the user_admin role). Only specifically, admins and user_admins should be able to write to the first and last name fields on the user form. 

Only 'user_admin' and 'admins' can make changes to all fields on the user form. 

I have created 2 ACL's, one for the 'sys_user.first_name' and the other for 'sys_user.last_name'. I have allowed admin override for both and provided the 'user_admin' as the role condition. I have even created a script which doesn't work. 

var answer = false; //Restrict access by default
if(gs.hasRole('user_admin')){
   answer = true; //Allow access if user has 'user_admin' role or is group manager
}
0 Helpfuls
  • 4,970 Views
3 REPLIES 3

Suseela Peddise
Kilo Sage

‎01-14-2020 02:05 AM

Hi,

There is a OOB ACL rule , which allows admin, user_admin and itil users write access to 'first name' field.

find_real_file.png

Modify the ACL according to your requirement.

If I have answered your question, please mark my response as correct and/or helpful.

 

Thanks,

Suseela P.

Preview file
50 KB
Preview file
51 KB

Karthi Nagul
Tera Contributor
In response to Suseela Peddise

‎01-14-2020 02:23 AM

Hi, thanks for your reply. I have same solution as what you have provided but without the "itil" role, as I only want user_admin and admin to be able to write to the first_name and last_name fields. However, other users who have inherited roles from "user_admin" can also modify the fields. Is there any overrides I can do?

0 Helpfuls

ggg
Giga Guru

‎01-14-2020 03:39 AM

fyi: there is an oob write acl on sys_user that is granting write to user_admin on the whole record:

if (gs.getUserID() == current.sys_id || gs.getUser().hasRole('itil, user_admin, import_transformer, resource_manager, timecard_admin'))
    answer = true;
else
    answer = false;

what is the configuration of your process users?

do they also have user_admin or not?

 

0 Helpfuls