Dealing with multiple ACLs

Neel Patel · ‎12-12-2023

Hi All,

I have been working through an ask to hide attachment of certain tables from admin users. (Due to sensitive info)

Obviously the way to achieve this is on ACLs, but for some reason on my instance there are 24 different "read" ACLs which one way or the other give access to the attachments for admins.

Any best practise on how to deal with this?

I have tried to create a new ACL specific to my table but does not seem to work.

Tony Chatfield1 · ‎12-12-2023

Hi, yes there are a lot of read ACL's for sys_attachment but these are primarily table specific.
If 1 ACL elevates to true then access will be granted and you cannot reverse this by adding a 'new' deny ACL, meaning you will need to identify and alter (or disable) any sys_attachment ACL's that are evaluating to true (for the related table) and you should be able to identify specific ACL's via security debug.
Once you have a smaller subset of ACL records relevant to your related table (some of the table specific evaluation may be via script within the ACL), you will need to review each ACL and then update to ensure your admin users are excluded correctly.

View solution in original post

Tony Chatfield1 · ‎12-12-2023

Hi, yes there are a lot of read ACL's for sys_attachment but these are primarily table specific.
If 1 ACL elevates to true then access will be granted and you cannot reverse this by adding a 'new' deny ACL, meaning you will need to identify and alter (or disable) any sys_attachment ACL's that are evaluating to true (for the related table) and you should be able to identify specific ACL's via security debug.
Once you have a smaller subset of ACL records relevant to your related table (some of the table specific evaluation may be via script within the ACL), you will need to review each ACL and then update to ensure your admin users are excluded correctly.