ACL to hide records not in users domain

kyrencooper · ‎06-16-2017

Hello,

I need some guidance / Assistance on an issue I'm having. I'm trying to create an ACL to hide all the CMDB records that aren't in a user's domain. Ideally i don't want them seeing any CMDB record that isn't in their domain (also filtering out anything in global)

I'm relatively new to ACLs & CMDB so any help would be appreciated.

I created the below ACL

But when I'm impersonating the target user I get the following, I would have expected to see the first 7 records and not the entire 851 records as 844 of them are in global.

Is there something I'm fundamentally missing?

Many thanks

zoltanszabo · ‎06-16-2017

Hi Kyren,

Your ACL is for cmdb_ci.*, meaning you are providing a restriction of all fields on the CMDB table, and not for the actual records. If you set the second drop-down of the Name field to NONE, it means the ACL applies to records.

However, ACL's are used for allowing/restricting access, and not for disallowing users to query a record. Meaning, that if you cannot access a record due to ACL restrictions, you can still query it and get a Security constraints message as the record cannot be displayed, but you know it is there.

If you want to ensure that the list does not give you the total number of records, ACL is not enough. For that, you would need to write Query Business Rules. Search for some Business Rules already in your system with filter Query = True to get some samples.

Also, beware how you set your ACL's and Query Business Rules up, because you might want to hide these CI's from domain specific users (itil and ess) but don't want to hide them from your globally functioning itil users.

Kind regards,

Zoltan

kyrencooper · ‎06-16-2017

Appreicated the response and I've gone and made the changes you mentioned.

I've updated the ACL to the following - however, when viewing the CI records this now shows the records in global, is that to be expected?

records from the users view, as you can see - there are global records showing despite the filter of domain =

javascript:gs.getUser().getDomainID()

I have got a query business rule working and it would appear to be showing only records in the users domain. But I'm still a little curious as to why the above doesn't work. Am i miss understanding something?

Should i couple the above ACL with the Query BR?

thanks!

zoltanszabo · ‎06-19-2017

Hi Kyren,

It really depends on where you are. gs.getUser().getDomainID() is often mistakenly believed to return the user's native domain (the domain in which the user is stored in). However, it actually returns the domain the user is currently in.

It is also often mistakenly believed that "global" is actually a domain. It is not a domain, it is the instance itself. So, any records which are domain separated (have the sys_domain field) with Domain field value = empty are practically "global"

I believe you should couple the above with Query Business Rules, however, it is only worth doing so once you are certain that your ACL actually works properly. You can check that if browsing all cmdb_ci records, and perhaps filtering out all domains or setting a filter that Domain = empty or Domain = global you get "number of rows removed from this list by security constraints" message. When you have that, you know your ACL works and disallows access. Then it is time to build Query rules to hide that message as well, this way, there is no way from back-end and front-end to access that data.

I would also check all other ACL's on the same table [cmdb_ci] as you might have other ACL's conflicting with your new one, some out-of-the-box ones most probably allow every itil users to access all CI's always. So I assume your ACL is ignored as another one cancels it...

salu · ‎09-22-2020

Hello,

Did you got solution for this?

Could you please share the query business rule?