Deny Unless allowing access - why?

Kelly Logan · ‎07-22-2025

We are running Yokohama and have a custom form called HRIS Request. On that form is a Social Security Number field that we would like only certain HR users to be able to see. To that end, we created a Deny Unless ACL tied directly to that field (see screenshot), with a role condition.

But in practice, the ACL is passing everyone, whether or not they have this role. Is there something different about a custom role? It is defined in global scope, though the form is in HRIS Request scope.

When I use the Access Analyzer, it confirms that both users with (P) and without (N) the role are being passed by the rule (see screenshot below) - why?

The rule itself is provided by a group, but not by other roles. When I check 'N's user account, they do not have the role direct nor inherited.
So why is the Deny Unless not denying?

Kelly Logan · ‎07-22-2025

Two things - First the test was incorrect because apparently N is an admin.

Second, I created a new role with the same scope as the custom form "HRIS Request" and tested with a non-admin user that didn't have the roll and now it is working as expected.

View solution in original post

Chaitanya ILCR · ‎07-22-2025

Hi @Kelly Logan ,

it should work

is u_ssn_wd_correction is the backend name of the Social Security Number field?

or is it different field I'm asking this because I see u_ssn_wd_correction in the ACL

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

Kelly Logan · ‎07-22-2025

Yes, good catch, but that is the field name:

Kelly Logan · ‎07-22-2025

Two things - First the test was incorrect because apparently N is an admin.

Second, I created a new role with the same scope as the custom form "HRIS Request" and tested with a non-admin user that didn't have the roll and now it is working as expected.