ACL on sys_journal_field table.

Gangadhar Ravi · ‎11-03-2020

I am trying to add a ACL on Additional Comments entries. I don't want to hide all the additional comments. But if the additional comments have any sensitive information Like below image SSN i want to provide read access to those entries to only few users with particular role. Please let me know if anyone tried this. i tired to add ACL on "sys_history_line" and "sys_journal_field" tables but not working. Not sure if this UI formatter will skip the ACL's.

DrewW · ‎11-03-2020

I tried to do something with a BR once for something similar and concluded that sys_journal_field is one of a few special tables in the system that does not run all of the same things that say the task table does.

The data you are talking about you are going to need to clear out before it can be entered into the system and it is already there you will need to clear it out of 4 tables I think it is.

Gangadhar Ravi · ‎11-03-2020

@Drew thanks for reply. I don't want to clear the data i am trying to see if i can just show this comments to few users based on their role using ACL's.

DrewW · ‎11-04-2020

Yep, I understand that and you are going to have to move the data to another field before its written to the database. You are not going to be able to control it in the way you would like because the sys_journal_field table is a special table in the system.

Also this data will get written to the server logs which will not role over for ~45 days so you have a risk there also for this kind of thing.

The way I have resolved this before is had a client script and a business rule looking for this kind of thing and when it is found the client script does not allow the form to be submitted until the user removes the data and puts it in a PII/ePHI field that is encrypted so that the data is not in the log. The Business rule catches the things that are submitted in other ways and moves the data to the PII/ePHI field before saving it to the DB. I would not allow data like this to be put into any kind of journal field because of the protections or lack there of on the sys_journal_field table.

Its not a simple solution to restrict this kind of thing unfortunately.

Ahmmed Ali · ‎11-03-2020

Hello,

The activity formatter is not accessible to admins, so we cannot modify that.

One approach I can suggest is, create a new journal field on incident (may be task also) table and write a before business rule on incident table. in BR check if comments contains the any sensitive data and is yes copy comments data to new field and clear out the comments field.

Now you can write read ACL on the new field.

There might be better approach, but you may consider this one.

Thanks,

Ali

If I could help you with your Query then, please hit the Thumb Icon and mark my answer as Correct!!

Thank you,
Ali