Before query BR: how to restrict record access on parent table?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2017 08:15 AM
Hi,
Hopefully a fresh look at this by someone else than me can help me move in the right direction.
Let's start with the business requirement; restrict access to all Incidents and Questions that are assigned to certain assignment groups - to users with a specific role (=the assignment group members).
Incident and Question both extend the Task table.
I've opted for the before-query business rule path rather than restricting the records using ACL's. My ACL proof-of-concept turned bad really quickly.
Since I'm pretty new to the before-query business rule I've done some research which ended up in a business rule on my Questions table, like this;
// If user is not a hr agent and if the session is an actual user session
if(!gs.hasRole('hr_agent') && gs.getSession().isInteractive()){
// Display records that are NOT assigned to a HR Confidentiality- group or that I've created for me or someone else
var user = gs.getUserID();
current.addEncodedQuery('assignment_group.u_hr_confidentiality=false^ORu_reported_for=' + user + '^ORu_reported_by=' + user + '^ORopened_by=' + user);
}
This works just fine.
However, the records are "partially" restricted considering their corresponding rows can be viewed from the Task table. Choosing to open the record would render the "Record not found"-message. Now you could argue that everything works as it should - and it does - but I do need to make sure that access to the records is entirely restricted, i.e. not display the corresponding rows on the Task table.
Putting the business rule on the Task table instead has consequences for other task-types than Incident and Question. I tried different ways to get this to work, for instance by using current.getTableName() to restrict the rule to the task-types of interest (Incident and Question) but no luck there. Preferably I would like one business rule on the Task table instead of two separate on Incident and Question but it makes for more trouble than good in this case.
Based on the above, does anyone have a suggestion on how to proceed?
I need to make sure that the records cannot be viewed in their entirety and ACL's are not an option based on the early efforts I made.
Thanks in advance!
- Labels:
-
Best Practices
-
Scripting and Coding
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2017 12:40 AM
Hi Liv and Amlan,
Thanks for your efforts.
Liv is correct, current.sys_class_name == 'incident' does not work.
current.getTableName() == 'incident' does however work but it unfortunately still leaves me with my biggest headache: using this condition the BR acts as if it runs on the Questions (child) table, meaning I still get an issue with restricted record rows appearing in the Task table.
The problems I'm experiencing are still;
- running the BR on the Task table (un-conditioned) tends to affect more records than only the records that are Task-type Question
- running the BR on the Task table (conditioned with current.getTableName()) makes the BR run as if it was on the Questions table, meaning the records I'm trying to restrict access to still appear as rows in the Task table (choosing to view would render the "Record not found" message).
Any other ideas on how to solve this?
Maybe a completely different approach?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2017 01:20 AM
Hi Tarik,
I'm glad that works but apologies for forgetting that it won't solve your complete issue! I had exactly the same issue a while back and unfortunately didn't find a solution. In the end we redesigned the project due to various other reasons so this was no longer too much of an issue for us. If you do find a solution, it would be great to hear what you find!
Liv
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2017 03:03 AM
What I was trying to achieve was simply not possible using only the before-query BR.
Went back to implementing it using ACL's.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-06-2018 06:02 AM
Hello,
I went through this issue today so I want to share with you my findings :
First of all on before query is just a filter that we add to a query so any condition on the current record is not working
Second on before query on child table is not executed on parent table so if you create one for example on incident you should do the same for task because the restricted data can be viewed from a report for example on task table.
Third if you want to execute the on before query on task but only for incident you should build an OR query that get all other task type plus your condition on task type incident
Example of script :
var tasks = current.addQuery("sys_class_name", "!=" , "incident");
var incident = tasks.addOrCondition("sys_class_name", "incident");
incident.addCondition("Condition on incident ");
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2024 09:12 AM
Bro, I owe you a beer, thanks a lot, this is working, holy moly!
