ACL Hell :-)

kemmy1 · ‎11-28-2018

Hopefully my subject gets some attention. 🙂

We built a special role for our Change Management (I'll call it abc_change).

Right now I have it set up as:

So basically, if you have the role "abc_change" then you can only write to fields when the state is in draft, ARB Review, Application for Implementation AND the owner team is "one of my groups"
But I would like for ONE of the fields to be able to be writable no matter what the state is.

So I created a Write ACL: change_request.u_another_cr_needed with no conditions, but it's still only allowing it to be written when state is is draft or ARB Review.

Do I seriously have to change the write change_request.* to remove the conditions and then add that condition to the other 100 or so fields just so that the change_request.u_another_cr_needed can be writable on all states?

Lisa

scott barnard1 · ‎11-28-2018

Here's a nice explanation of * - not mine some other poster did this one and I kept it as I liked it 🙂

Table.* is a field level ACL which gives Access to all field on that table.

Table.none is a row level ACL allows you to access records.

I usually use an "image" of an house with rooms to explain it.

Your record (table.none) is an house

table.* means all the rooms

table.comments is one precise room (living room) of the house

So I'm a painter and you asked me to paint your living room.

You give me write access to table.* but not to table.none, that means I'll be able to modify fields (enter into the living room) BUT I won't be able to save the information (enter into the house).

And as I'm very polite, I won't try to enter by breaking the windows, so please if you want me to paint your living room, give me an access to your house.

Btw, take care of giving table.* because you're letting me doing the access (reading / writing) of all the rooms of the house and sometimes we prefer to let some doors closed like the "office room" because we have private information there and I shouldn't (as a painter) have an access to these information.

In that specific case, I'll give my painter:

house.none write access
house.living_room write access
BUT not house.*

Regards

View solution in original post

scott barnard1 · ‎11-28-2018

Enable the debugging and check out which acl shows red against the field when you are in the desired state

Also check the execution order of the ACL's and see if there is a later one blocking you.

In general ACL tends to go on the most specific ACL but you can get odd sequence behaviour sometimes

so on the change_request.u_another_cr_needed acl

Do you have the role added and then the 2 conditions for state?

regards

kemmy1 · ‎12-05-2018

on so on the change_request.u_another_cr_needed acl I have the role added and NO Conditions. Seems like it's ok at this level, but then goes to the change_request.* level and says "NOPE" can't do that!

Ct111 · ‎11-28-2018

Suppose you have four fields on which u want to restrcit access then you should create four write ACL's on those fields based on condition like

change_request.field1 write

Condition of state is either draft, ARB Review, Application

change_request.field2 write

Condition is state is draft, ARB Review, Application

....Similarly till 4th field

And the last one for which you want everyone to access don't do anything this will solve the purpose.

Mark my ANSWER as CORRECT and HELPFUL if it helped

kemmy1 · ‎12-05-2018

That's what I was fearing. I have about 90 fields I would have to create ACL's for to accomplish this. 😞