How to give read access for particular role to few columns - ACL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2024 05:33 AM
Hi Team,
I'm building integration between Grafana and ServiceNow, and following the documentation ServiceNow data source for Grafana.
I'm struggling with a task to create a read ACL for sys_db_object.name for dedicated role. Because when I do this the existing ACLs for sys_db_object.* will be overwritten, and users which pass current conditions will lose the read access. My idea is to add to the new read ACL the conditions of existing ACLs: sys_db_object.* and *.name and *.*. But this may be a lot of ACLs to review, and maybe there is better way to achieve this?
Could you please advice how to do this - so to restrict access for few columns in existing table for new role, but also to not break access for existing users?
Thank you for your support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2024 06:19 AM
You can add the role on row level and create new ones for the fields. The '*' will give access to the current users, but you will also need to add them to the custom ACL's you are creating for the fields. Don't add the new role to the '*' because it will grant access to all (although that could be the easiest way to go).
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2024 06:36 AM
Hi @Mark Manders , thank you for your quick response.
I've created read ACL for sys_db_object.-- None -- for dedicated role - so this will be for row level, right?
But when I created a read ACL for sys_db_object.name for dedicated role, then it will overwrite existing ACLs which are for sys_db_object.*.
What exactly do you mean by "The '*' will give access to the current users, but you will also need to add them to the custom ACL's you are creating for the fields."? By them do you mean conditions in the current ACLs (sys_db_object.* and *.name and *.*) to be added to the custom ACL for sys_db_object.name?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2024 06:41 AM
The '*' gives access to all fields and creating ACL's on true field level, will limit the access to that field:
sys_user.* for itil gives an itil user access to all fields on the user record
sys_user.company for cmdb_read users (as example) will give access to this field only for cmdb_read users (if they have table access as well). This ACL also limits the itil user from having access to the field, if not added as well, hence the 'overwrite' on the sys_user.* acl.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2024 06:49 AM
So following your example, if we want to give users with cmdb_read access only to sys_user.company, but also keed itil users to still have access to this column, then we will need to add itil role to the sys_user.company ACL together with cmdb_read, right?
