Multiple ACLs on the same field not applying correctly.

josh_tessaro · ‎05-27-2015

We are trying to change the permissions for the knowledge base so that ITIL users can Create and Edit draft KBs only. We are using the following 2 rules to do this:

1. Restrict write (this should grant the 3 roles listed access to write everything and prevent ITIL from doing the same)

Type: record

Operation: write

Name: kb_knowledge.*

Requires Roles: itil_admin, knowledge_manager, knowledge_admin

Condition: NONE

2. Allow ITIL users to edit Draft KBs

Type: record

Operation: write

Name: kb_knowledge.*

Requires Roles: itil

Condition: Workflow is Draft

The problem I am having is if the user has a role form each role. I want a user with both the knowledge_admin and itil roles to be able to edit a KB in all workflow states but it is not working. Users with knowledge_admin and itil are getting treated like an itil user in that they are not able to edit non-draft KBs.

Also is there a way to make the Workflow field read only for ITIL while using the above rules? I would rather not create a version of rule # 2 for each field on the form excelp workflow.

Thanks!

josh_tessaro · ‎05-28-2015

Gupreet,

I used a script in a single rule but it is not behaving as expected.

The rule above is evaluating to false when it looks like it should be true. See below, I am aliased as a User with the 'itil' role.

Here is the evaluation of my rule, looks like the above script is evaluating to false even though the state is draft and the user has an 'itil' role.

The script is evaluating correctly for users with the 'knowledge_admin' role.

Any ideas?

EDIT: I figured it out.

In order to reference a field on the object that the ACL applies to you need current.[fieldname] so current.workflow_state == 'draft'. This is now working for me.

View solution in original post

Deepak Ingale1 · ‎05-27-2015

What is the write ACL you have on kb_knowledge table?

please post screen captures of it as well.

Also, open 'Debug Securtiy' and impersonate the user in question and post screencaptures to troubleshoot.

Gurpreet07 · ‎05-27-2015

You need to put some script in 2nd ACL ... I will suggest to include all those roles in first 1st ACL and mark 2nd acl as inactive.

Following Type of code may help you with your first ACL..

Script :

answer = true ;

if(gs.hasRoles('ITIL') && (workflow_state!='Draft' || !gs.hasRoles('kb_admin'))){

answer = false

}

josh_tessaro · ‎05-28-2015