Data separation using ACL, based on user's Company, but certain users need access to multiple Companies

galavodasal · ‎01-29-2018

Hi all,

We recently configured a multi tenant environment and are looking to separate data based upon the user's Company. Originally, we had a read ACL on the task table where the only condition (other than role) was Company IS javascript:gs.getUser().getCompanyID().

This works fine if you're only dealing with a one to one relationship, but we're required to provide access to multiple companies for certain users.

Example, IT user John Smith's Company is ACME, but he needs access to view and write records where the Company is ACME, Disney, or AOL.

Looking for possible solutions using configuration as scripting on ACLs can hinder performance.

Is there a way to use the parent, so the task read ACL would be:

Company.Parent IS javascript:gs.getUser().getCompanyID.getParent()

Is this possible?

Thank you!

Daniel Draes · ‎09-03-2018

Uh.. should have updated this thread long ago I guess 🙂

Sure, this is possible. All you need is to create custom ACL's on the tables you want this logic to apply.