ACL Hell :-)

Go to solution
kemmy1
Tera Guru

‎11-28-2018 08:31 AM

Hopefully my subject gets some attention.  🙂

We built a special role for our Change Management (I'll call it abc_change).

Right now I have it set up as:

find_real_file.png
find_real_file.png

So basically, if you have the role "abc_change" then you can only write to fields when the state is in draft, ARB Review, Application for Implementation AND the owner team is "one of my groups"
But I would like for ONE of the fields to be able to be writable no matter what the state is.

So I created a Write ACL: change_request.u_another_cr_needed with no conditions, but it's still only allowing it to be written when state is is draft or ARB Review.

Do I seriously have to change the write change_request.* to remove the conditions and then add that condition to the other 100 or so fields just so that the change_request.u_another_cr_needed can be writable on all states?

Lisa

Labels:
Preview file
5 KB
Preview file
2 KB
0 Helpfuls
  • 1,620 Views
1 ACCEPTED SOLUTION

Go to solution
scott barnard1
Kilo Sage

‎11-28-2018 08:45 AM

Here's a nice explanation of * - not mine some other poster did this one and I kept it as I liked it 🙂

 

Table.* is a field level ACL which gives Access to all field on that table.

 

Table.none is a row level ACL allows you to access records.

 

I usually use an "image" of an house with rooms to explain it.

Your record (table.none) is an house

table.* means all the rooms

table.comments is one precise room (living room) of the house

 

So I'm a painter and you asked me to paint your living room.

 

You give me write access to table.* but not to table.none, that means I'll be able to modify fields (enter into the living room) BUT I won't be able to save the information (enter into the house).

And as I'm very polite, I won't try to enter by breaking the windows, so please if you want me to paint your living room, give me an access to your house.

 

Btw, take care of giving table.* because you're letting me doing the access (reading / writing) of all the rooms of the house and sometimes we prefer to let some doors closed like the "office room" because we have private information there and I shouldn't (as a painter) have an access to these information.

In that specific case, I'll give my painter:

 

  • house.none write access
  • house.living_room write access
  • BUT not house.*

 

 Regards

View solution in original post

6 REPLIES 6

Go to solution
scott barnard1
Kilo Sage

‎11-28-2018 08:45 AM

Here's a nice explanation of * - not mine some other poster did this one and I kept it as I liked it 🙂

 

Table.* is a field level ACL which gives Access to all field on that table.

 

Table.none is a row level ACL allows you to access records.

 

I usually use an "image" of an house with rooms to explain it.

Your record (table.none) is an house

table.* means all the rooms

table.comments is one precise room (living room) of the house

 

So I'm a painter and you asked me to paint your living room.

 

You give me write access to table.* but not to table.none, that means I'll be able to modify fields (enter into the living room) BUT I won't be able to save the information (enter into the house).

And as I'm very polite, I won't try to enter by breaking the windows, so please if you want me to paint your living room, give me an access to your house.

 

Btw, take care of giving table.* because you're letting me doing the access (reading / writing) of all the rooms of the house and sometimes we prefer to let some doors closed like the "office room" because we have private information there and I shouldn't (as a painter) have an access to these information.

In that specific case, I'll give my painter:

 

  • house.none write access
  • house.living_room write access
  • BUT not house.*

 

 Regards

Go to solution
s_sterner
Mega Guru

‎11-28-2018 09:00 AM

1.) Consolidate your change_request writes into one. The "change_request" ACL alone will not allow people to write to changes regardless of the field type. So your "change_request.*" is redundant. If the two differ in conditions, consolidate into one, write a script that returns true or false as the answer depending on your conditions in the script. If you cant script it, make them both the same "change_request" // "change_request" instead of "change_request" // "change_request.*" and use the condition drop downs.
2.) Add change_request.u_another_cr_needed as a write operation with no conditions, if leaving everything blank (roles, conditions, script) does not work, then click the advanced check box, and put

true;

 in the script field.

See if that helps. And to answer your other question, if its logically sound you should never have to create an ACL for every single field.

0 Helpfuls