Enable non-itil user edit field in sys_user

William Busby · ‎09-06-2017

I need to enable edit to two specific fields in sys_user to Joe User who is not an itil user. I've taken the following actions:

- Disabled the ACL for sys_user write operation

- Validated ACL for sys_user* write operation is enabled

- Added an ACL for sys_user.field1 read operation with role 'public'

- Added an ACL for sys_user.field1 write operation with role 'public'

All to no avail. Additional info, the write is being done with GlideRecord call from client script. Not ideal but mimics prior behavior where code was doing the same update to another table (fields are being moved to sys_user). Any ideas?

Jaspal Singh · ‎09-06-2017

Hi Bill,

Try disabling write ACL for sys_user* operation.

Chuck Tomasi · ‎09-06-2017

Hi Bill,

Don't confuse public with no role. The public role is used for unauthenticated users!

Use the security debugging (System Security> Debugging> Debug Security Rules) to determine where access is being granted and denied.

Michael Ritchie · ‎09-06-2017

Bill, out of the box, the logged in user can modify his/her own user profile. Here is the condition you will see on the write ACL:

if (gs.getUserID() == current.sys_id || gs.getUser().hasRoles()) answer = true; else answer = false;

Then there are ACL's setup for most of the fields requiring the admin, itil, or user_admin role to modify them. So if you leave the out of the box ACL's as they are and add the new fields, the user should be able to modify these fields in their own profile.

carlosj · ‎09-06-2017

Don't use public. It's better to create an ACL with no roles which will achieve the desired effect of allowing all internal authenticated users access while not allowing unauthenticated users access.