Hi all,

We have a "NOC Supervisors" group that should be able to edit the membership of groups within their area, "NOC Tier 1", "NOC Tier 2", etc.  They'd navigate to one of the groups, and the "Edit" button is available on the "Group members" related list.  Groups they can't update wouldn't show the "Edit" button.  Other groups would have the same type of functionality.

Our approach at the moment is to add a field to the sys_user_group table for "Membership managed by", which is a List type field, and references the sys_user_group table.  This field would hold the groups whose members are allowed to manage this group.  So the "NOC Tier 1" group would have "NOC Supervisors" listed in this group.

We're also adding a role, u_group_management, that will be added to the groups that are allowed to edit the membership of other groups, such as "NOC Supervisors".

Finally, ACLs for the sys_user_grmember table for create/write/delete that include the u_group_management role and a script to see if the user is a member of a group in the "Membership managed by" field:

var result = false;

var u = gs.getUser();
var g = current.group;
var manageGroups = g.u_membership_managed_by.split(',');

for (var i = 0; i < manageGroups.length; i++) {
	if (u.isMemberOf(manageGroups[i])) {
        result = true;
		break;
    }
}

answer = result;

It seems the ACL is being executed multiple times (3 to be exact).  Two of those times "current.group" is empty/nil, so the result evaluates to false.  One time "current.group" is filled correctly, and everything works fine.

Unfortunately, those two times "current.group" is empty/nil and returns false are causing the "Edit" button to not show up.

Found a page on pre-query and post-query ACL checks, wondering if that's the cause for current being empty...and if so how to resolve this?  Is this not the problem and I'm doing something stupid? 😂

Hopefully all of this makes sense!  Thanks!

Marc