ACL not working properly

amaneet · ‎07-12-2017

Hi Folks,

I have one custom table/application and have modified one ACL out of the ones which get generated automatically.

My intention is to limit the visibility of records to only those where there are assigned.

So i have modified the read ACL to include one more role(ITIL)

and wrote an advanced script

answer= current.assigned_to==gs.getuserid();

everything works fine except the ITIL users are not able to create new records. Only submit button appears on form (no fields)

If i remove the advanced script from read ACL, they are able to create.

Am i missing something, please guide?

amaneet · ‎07-12-2017

Its working, missed current in newRecord()

answer=false;

if (current.assigned_to==gs.getUserID() || current.isNewRecord())

{

answer=true;

}

randrews · ‎07-12-2017

one more try at explaining it just cause i have to put my two cents in...

you have 2 layers of acl evaluation... you have to have ONE yes from each level to have access....

first it checks the table... so if you have 3 read acl's on the table.. 2 reject you and one says yes... you have access to the table.

then it checks the field.... again you only need ONE yes to have access to the field...

so for acl troubleshooting you have to get TWO yes's.. one at the table level <table. null> and one at the field level <a table.* is a yes on all fields>

hope that helps

Dave Smith1 · ‎07-13-2017

Just for clarification:

one at the table level <table. null> and one at the field level <a table.* is a yes on all fields>

Documentation refers to this as table.NONE - despite the fact it shows up in the ACL form simply as table (nothing following).

so if you have 3 read acl's on the table.. 2 reject you and one says yes... you have access to the table.

This is an important point I may not have mentioned in my explanation below: multiple ACLs have an OR condition, not an AND, between them.

Each ACL is a doorway in, so as Raymond explains it: two doorways being locked but the third being open means you can gain entry to the room.
Don't think of each ACL as being several locks on one door (i..e: an AND situation) where all rules must be satisfied to unlock the door.
However, the ACL itself must have several criteria - can be one of the stipulated roles AND the filter condition must also hold true (e.g.: can be either itil role, asset role or knowledge_manager role BUT the "Created By" field must hold their name, so they only get to manipulate their own records)

lSurya 24 · ‎07-12-2017

or may be they need to have write access to those fields.

abhishekdash · ‎07-12-2017

Hello Amaneet,

I think you have given access to only table and not the fields.

Please try below steps and see if it works:

1. Open the ACL where you have added the script. (i.e. answer= current.assigned_to==gs.getuserid();)

2. You will see that the field Name = tablename.none

3. Change it to Name = tablename.* (something like below):

Screen Shot 2017-07-12 at 1.11.09 PM.png

4. Right click on the header of the record and click on 'Insert with Roles':

Screen Shot 2017-07-12 at 1.12.41 PM.png

5. Clear the cache (cache.do)

6. Log out and Re-login

Let me know if this resolves the issue.

Thanks,

Abhishek

If this reply assisted you, please consider marking it Correct, Helpful, or Like it.

This helps other customers to learn from your thread.