We're reclaiming inactive PDIs to keep them available for active builders. Learn what's changing, who's affected, and how to protect your work. Read More

ITSM related

RupaleeC
Tera Contributor

I'm working on a requirement where we need to ensure that once a record is moved to an 'Archived' state, it becomes read-only for everyone except the Admin. Should I lean toward a single Data Policy for UI-level control, or stick to a robust ACL (Access Control List)?

1 ACCEPTED SOLUTION

Not applicable

@RupaleeC 

 

🔑 Data Policy vs. ACL

Data Policy

  • Enforces rules at the UI level (forms, lists, Service Portal).
  • Can make fields read‑only or mandatory, but it’s primarily client‑side control.
  • Limitation: If someone uses APIs, integrations, or background scripts, a Data Policy won’t stop them from updating the record.
  • Good for user experience enforcement, but not for true security.

ACL (Access Control List)

  • Enforces rules at the server level.
  • Controls who can read, write, or create records/fields regardless of how they access the data (UI, API, import, integration).
  • Robust and secure — ensures that only Admins can update archived records.
  • Best practice for security and compliance requirements.

⚙️ Best Practice Recommendation

  • Use ACLs to enforce the read‑only rule for archived records.
    • Example: Create an ACL condition that checks if state == archived. If true, deny write access unless the user has the admin role.
  • Optionally, add a Data Policy or UI Policy for user experience — so users see the fields as read‑only in the form.
    • This avoids confusion and makes the restriction visible in the UI.

View solution in original post

1 REPLY 1

Not applicable

@RupaleeC 

 

🔑 Data Policy vs. ACL

Data Policy

  • Enforces rules at the UI level (forms, lists, Service Portal).
  • Can make fields read‑only or mandatory, but it’s primarily client‑side control.
  • Limitation: If someone uses APIs, integrations, or background scripts, a Data Policy won’t stop them from updating the record.
  • Good for user experience enforcement, but not for true security.

ACL (Access Control List)

  • Enforces rules at the server level.
  • Controls who can read, write, or create records/fields regardless of how they access the data (UI, API, import, integration).
  • Robust and secure — ensures that only Admins can update archived records.
  • Best practice for security and compliance requirements.

⚙️ Best Practice Recommendation

  • Use ACLs to enforce the read‑only rule for archived records.
    • Example: Create an ACL condition that checks if state == archived. If true, deny write access unless the user has the admin role.
  • Optionally, add a Data Policy or UI Policy for user experience — so users see the fields as read‑only in the form.
    • This avoids confusion and makes the restriction visible in the UI.