- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-18-2019 04:27 AM
Hi there,
I am trying to restrict write access to a specific table which I have done with a write ACL, however I need to still allow access to a role to attach a document. I know the write acl controls the access to attach documents but is there a way to still allow a user with a specific role to attach a attachment without having write access to any of the field,
Thank you
Solved! Go to Solution.
- Labels:
-
Scripting and Coding

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-18-2019 04:47 AM
Create write ACL on table for the role you want to give attachment access. Here set ACL as table_name and none (table level).
And create another write ACL on table for write access with name as table_name and * (all fields) to give write access only to intended roles (by this above role will have write access on table level. but will not be able to update any field).
Hope this helps.
Thanks,
Ali
Thank you,
Ali

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-18-2019 04:47 AM
Create write ACL on table for the role you want to give attachment access. Here set ACL as table_name and none (table level).
And create another write ACL on table for write access with name as table_name and * (all fields) to give write access only to intended roles (by this above role will have write access on table level. but will not be able to update any field).
Hope this helps.
Thanks,
Ali
Thank you,
Ali
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-18-2019 05:07 AM
Thank you very much! This has worked.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-28-2024 10:31 AM
This does work, but it isn't very scalable. For example, in Continuous Authorization and Monitoring, there are four OOB table.none write ACLs for the different OOB CAM roles. All but the admin role have a script condition requiring the logged in user to be inserted into the respective user reference field on the record to be edited to allow the "lower" CAM roles to satisfy the ACL (ex logged in user must be inserted into the system_owner field on the Authorization Boundary record for the ACL with the cam.sys_owner as the role requirement to be satisfied). Is there not a solution that would have less technical debt than creating a table.* ACL that incorporates all of these different script conditions for each role? Also, if new roles are created to be used on this table, the table.* ACL would have to be updated every time a new role is to be given write permission (or simply the ability to attach something to the record).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-03-2024 08:52 PM
I was trying to solve the problem of how to allow an itil role user the ability to add attachments to a application table, but it took a while to wrap my head around the answer above as it wasn't clear to me. I was thinking it might need an ACL on the sys_attachments table in relation to the sn_bcp_plan table. But once I figured it out your answer made sense.
1, Create the ACL rule on the sn_bcp_plan table with (none) with only role "itil" - this allows anyone with itil role to now add attachments to a record on the sn_bcp_plan table. (I also used a filter to limit the state as well). However, this now also allows the itil user to update fields that are otherwise not locked down via other ACLs. So you need the 2nd ACL
2. Create the ACL rule on the sn_bcp_plan table with * for all the other non-itil roles that need write access to be able to update fields on this record. This "denies" the itil role user write access as the field level ACL resolution comes after the table level ACL