ACL Understanding

sainath3
Mega Guru

‎12-07-2024 08:15 AM

Hi All,

 

I have created a table: u_database

 

Created user's with roles are:

Test user 1 having Demo role, test user 2 having Demo2 role,  both these users having table level ACL(u_database_user).

 

Now i have modified existing Create ACL ( table.None 😞 removed table acl & added Demo role.

sainath3_0-1733587620712.png

 

Output:

Only Test user1 having access to create the record from both list view & form view, Test user2 don't have access to create a record from both list view & form view.

 

My question's :

1. what is the difference between table.None & Table.*.

in both the scenarios who don't have a role they are able to access it from both list view & Form view.

 

2. even If I uncheck the Admin override, how Admin is able to access the records, because Admin don't have table level acl.

 

my requirement:

User can't create a record from list view & but he should create it from form view.

 

 

0 Helpfuls
  • 896 Views
10 REPLIES 10

Community Alums
Not applicable

‎12-08-2024 09:30 PM

Hi Sainath,

1. Difference Between Table.None and Table.*

  • Table.None ACL:

    • Applies only to the table itself, not to any specific fields.
    • Commonly used for operations that do not involve fields (like create, delete, etc.).
    • Example: A create ACL with Table.None governs whether users can create records in that table at all.

  • Table.* ACL:

    • Applies to all fields of the table unless more specific field-level ACLs exist.
    • Example: A read ACL with Table.* governs whether users can read the table's records and all its fields.

Behavior of Users Without Roles:

  • If there are no restrictive ACLs in place (e.g., public access is allowed), users without roles may still access the table.
  • Ensure appropriate restrictions (such as roles) are added to the ACL to prevent unauthorized access.

2. Admin Override

  • Why Admin Can Access Records Even Without Specific ACLs:
    • By default, Admins bypass all ACLs unless Admin override is unchecked.
    • Even with Admin override unchecked, Admins can still access records if granted through elevated privileges or global system ACLs (e.g., roles like security_admin or inherited roles).

      User Should Create Records Only from Form View, Not List View

      To achieve this, you need to apply ACLs that differentiate between the two views:

      Step 1: Create a Create ACL for List View

      1. Navigate to System Security > Access Control (ACL).
      2. Create a new ACL for the create operation:
        • Table: u_database
        • Type: None
        • Conditions:

Add a script to check if the user is attempting to create from the list view:

if (gs.isInteractive()) {
var referrer = gs.getSession().getStack().getReferrer();
return referrer && referrer.indexOf('list') === -1; // Allow only if not from list view
}
return true;

Assign this ACL to the Demo role (or the role your users have).

Step 2: Allow Create from Form View

Ensure the form view is accessible to the user:

No additional configuration needed; the default behavior allows record creation from the form if create ACL permits.


If you found this as useful please mark as helpful and accept as solution.

0 Helpfuls