ACL scenarios , looking for clarity

darshan-pra · 3 weeks ago

table.none to itil , table.* iti_admin , table.priority admin.. so what fields itil.admin would able to access , if itil_admin contains itil role then what will be the case , also it parent and child role plays role in acl

Rafael Batistot · 3 weeks ago

Hi @darshan-pra

1. table.none ACL

This ACL applies to all users, even those without any roles.
If table.none denies access, it can block access entirely, unless another ACL explicitly allows it.
It's often used as a default deny rule.

2. table.* ACL with itil_admin role

This ACL allows access to all fields in the table for users with the itil_admin role.
If a user has itil_admin, they can access the table and its fields unless a more specific field-level ACL restricts access.

3. table.priority ACL with admin role

This ACL restricts access to the priority field to users with the admin role.
Even if a user has itil_admin, they won’t be able to access the priority field unless they also have admin.

Role Inheritance: itil_admin contains itil

If itil_admin includes itil as a child role:
- A user with itil_admin will also satisfy ACLs that require itil.
- But a user with only itil will not satisfy ACLs that require itil_admin.

This is called role hierarchy or role inheritance.