- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-22-2025 08:28 AM
We are running Yokohama and have a custom form called HRIS Request. On that form is a Social Security Number field that we would like only certain HR users to be able to see. To that end, we created a Deny Unless ACL tied directly to that field (see screenshot), with a role condition.
But in practice, the ACL is passing everyone, whether or not they have this role. Is there something different about a custom role? It is defined in global scope, though the form is in HRIS Request scope.
When I use the Access Analyzer, it confirms that both users with (P) and without (N) the role are being passed by the rule (see screenshot below) - why?
The rule itself is provided by a group, but not by other roles. When I check 'N's user account, they do not have the role direct nor inherited.
So why is the Deny Unless not denying?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-22-2025 10:11 AM
Two things - First the test was incorrect because apparently N is an admin.
Second, I created a new role with the same scope as the custom form "HRIS Request" and tested with a non-admin user that didn't have the roll and now it is working as expected.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-22-2025 08:53 AM
Hi @Kelly Logan ,
it should work
is u_ssn_wd_correction is the backend name of the Social Security Number field?
or is it different field I'm asking this because I see u_ssn_wd_correction in the ACL
Please mark my answer as helpful/correct if it resolves your query.
Regards,
Chaitanya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-22-2025 09:54 AM
Yes, good catch, but that is the field name:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-22-2025 10:11 AM
Two things - First the test was incorrect because apparently N is an admin.
Second, I created a new role with the same scope as the custom form "HRIS Request" and tested with a non-admin user that didn't have the roll and now it is working as expected.