Before query BR: how to restrict record access on parent table?

Tarik_H · ‎05-03-2017

Hi,

Hopefully a fresh look at this by someone else than me can help me move in the right direction.

Let's start with the business requirement; restrict access to all Incidents and Questions that are assigned to certain assignment groups - to users with a specific role (=the assignment group members).

Incident and Question both extend the Task table.

I've opted for the before-query business rule path rather than restricting the records using ACL's. My ACL proof-of-concept turned bad really quickly.

Since I'm pretty new to the before-query business rule I've done some research which ended up in a business rule on my Questions table, like this;

// If user is not a hr agent and if the session is an actual user session
if(!gs.hasRole('hr_agent') && gs.getSession().isInteractive()){
   
       // Display records that are NOT assigned to a HR Confidentiality- group or that I've created for me or someone else
         var user = gs.getUserID();
         current.addEncodedQuery('assignment_group.u_hr_confidentiality=false^ORu_reported_for=' + user + '^ORu_reported_by=' + user + '^ORopened_by=' + user);
}

This works just fine.

However, the records are "partially" restricted considering their corresponding rows can be viewed from the Task table. Choosing to open the record would render the "Record not found"-message. Now you could argue that everything works as it should - and it does - but I do need to make sure that access to the records is entirely restricted, i.e. not display the corresponding rows on the Task table.

Putting the business rule on the Task table instead has consequences for other task-types than Incident and Question. I tried different ways to get this to work, for instance by using current.getTableName() to restrict the rule to the task-types of interest (Incident and Question) but no luck there. Preferably I would like one business rule on the Task table instead of two separate on Incident and Question but it makes for more trouble than good in this case.

Based on the above, does anyone have a suggestion on how to proceed?

I need to make sure that the records cannot be viewed in their entirety and ACL's are not an option based on the early efforts I made.

Thanks in advance!

Nia McCash · ‎05-03-2017

Putting the Business Rule on the Task table should work, I think. Perhaps you can share the code that you tried for Business Rule you tried on the Task table?

Tarik_H · ‎05-04-2017

Hi Nia,

Thanks for your reply.

The BR on Task table is basically the same piece of code - with added '^sys_class_name!=u_question_task' (= all Task-types that are not Question) in the query, since I experienced that it does not return task types that do not contain the u_question_task fields I query for, which comes as no surprise.

Like I said initially, putting the BR on the Task table kind of complicates things.

amlanpal · ‎05-03-2017

HI Tarik,

Just for your information, you can run the same business run in the Task table also. All you need to set the Condition as current.sys_class_name == 'incident'. This Business run will run only for Incident table then.

I hope this helps. Please mark correct/helpful based on impact

liv_cp · ‎05-03-2017

Hi Amlan/Tarik,

You don't normally have access to 'current' in the normal sense in before-query BRs so I'm not sure that adding 'current.sys_class_name == 'incident'' to the condition will work. Since the business rule is running BEFORE it queries the database for the records, it cannot establish things about the current record as it doesn't have the records yet if that makes sense.

However, I know that you can use current.getTableName() == 'incident' in the condition of before query BRs (I think the function works slightly differently to simply saying current.sys_class_name) as I have used this myself for the same issue.

Let me know if this is helpful!

Liv