Deny Unless allowing access - why?

Kelly Logan
Kilo Sage

We are running Yokohama and have a custom form called HRIS Request. On that form is a Social Security Number field that we would like only certain HR users to be able to see.  To that end, we created a Deny Unless ACL tied directly to that field (see screenshot), with a role condition. 

KellyLogan_0-1753197325332.png

But in practice, the ACL is passing everyone, whether or not they have this role. Is there something different about a custom role? It is defined in global scope, though the form is in HRIS Request scope. 

When I use the Access Analyzer, it confirms that both users with (P) and without (N) the role are being passed by the rule (see screenshot below) - why? 

 

KellyLogan_1-1753198055057.png

 


The rule itself is provided by a group, but not by other roles. When I check 'N's user account, they do not have the role direct nor inherited. 
So why is the Deny Unless not denying? 

1 ACCEPTED SOLUTION

Kelly Logan
Kilo Sage

Two things - First the test was incorrect because apparently N is an admin. 

Second, I created a new role with the same scope as the custom form "HRIS Request" and tested with a non-admin user that didn't have the roll and now it is working as expected. 

View solution in original post

3 REPLIES 3

Chaitanya ILCR
Kilo Patron

Hi @Kelly Logan ,

 

it should work

 

is u_ssn_wd_correction is the backend name of the Social Security Number field?

or is it different field I'm asking this because I see u_ssn_wd_correction in the ACL

 

 

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

Yes, good catch, but that is the field name:

KellyLogan_0-1753202162890.png

 

Kelly Logan
Kilo Sage

Two things - First the test was incorrect because apparently N is an admin. 

Second, I created a new role with the same scope as the custom form "HRIS Request" and tested with a non-admin user that didn't have the roll and now it is working as expected.