How to make only one field editable on record, remains should be read-only

Supriya25 · ‎08-21-2023

Hi All,

Please help me on below issue. why my Write ACL not working , always two fields still read-only just like previous.???

current setup:

in CSM, we create one custom table "Invoice Compliances " which is extended from Case table .we have totally 45+ fields (some custom fields and some case table fields ). Full Access on Invoice Compliances table records/fields can be updated only by "admins" and "invoice_compliances_user "

ACL : Write

Table: Invoice Compliances.*

roles: "admins" , "invoice_compliances_user ", Condition: State|not|cancelled/Closed.

on request For Finance group we create one new Role "finance_invoice_compliance_user" given read access on list of records for reporting purpose and some other purposes.

ACL : Read

Table : Invoice Compliances.*

roles: "finance_invoice_compliance_user" , Condition: State|not|cancelled.

up to this point everything fine.

Issue :

now finance_invoice_compliance_user role users want to update 2-fields by them in 'Invoice Compliances table' record, so we created Write ACL, but it is not working , always that two fields showing as Read-only as like other fileds.

ACL : Write

Table: Invoice Compliances.Trans ID

roles: finance_invoice_compliance_user, Condition: State|not|cancelled/Closed.

Script :

var gr=new GlideRecord('sys_user_grmember');
gr.addEncodedQuery('group.name.STARTSWITHFinance_Invoice_Compliance^group.active=true');
gr.addQuery('user',gs.getUserID());
gr.query();
if(gr.next())
answer=true;
else
answer=false;

Kindly help me why my Write ACL not working , always two fields still read-only just like previous.

Supriya25 · ‎08-22-2023

Yes, 100% User has "finance_invoice_compliance_use" role. and Tested with different users who are having """finance_invoice_compliance_use"" role ..... but Same result like below.

I started Debugging

Results :

in sys_security_acl_role Table : error like this below when I put mouse over at Role field, Acl field

record/sys_security_acl_role.sys_user_role/read=true(0:00:00:001)
record/sys_security_acl_role.sys_user_role/write=false((0:00:00:000);

I Opened one Invoice Compliances table record and '''Trans ID ''' field Dugging details like below

All READ ACL's are executed and True...

but at One WRITE ACL: result like below

oooo record/Invoice Compliances table.Trans ID/write App:App:Customer

Roles ( Roles=finance_invoice_compliance_user)(Result=Not Evaluated)

I Opened that Write ACL it is so simple , which is we created yesterday.

ACL : Write

Table: Invoice Compliances.Trans ID

roles: finance_invoice_compliance_user

Condition: Empty

Advanced : empty

Jim Coyne · ‎08-22-2023

I'm not asking IF they have the Role, I'm asking how users are given the "finance_invoice_compliance_user" Role? I'm trying to understand why you are checking for a Role AND a Group. Typically you would add the Role to the Group so users get the Role from being a member of a Group.

Supriya25 · ‎08-22-2023

1. We given Role to Group

2. this time I'm not checking with two "" Role AND a Group.""" ....

just checking with either Role Or Group.

In ACL 1st time I gave only role, no script- no luck same kind of result

In ACL 2nd time no role , checking group in Script- no luck same kind of result.

Jim Coyne · ‎08-22-2023

You need to simplify things: Roles should be used in ACLs when determining if access should be given and NOT Groups. The Groups contain the Role, so they are important, but Group Membership should NOT be a factor in the ACL.

And don't forget, in order for the ACL to return "true", the "Requires role", "Condition" and "Script" must ALL return true and not simply one of them.

Supriya25 · ‎08-22-2023

Agreed with your point.

as you stated In my current running ACL I'm just using

Role using

condition: state|not closed using,

Advanced script no using

but same kind of output coming .