OOB ACL and Custom ACL Iteraction

Go to solution
zzsrvnow
Giga Contributor

‎07-27-2018 04:58 PM

Hello People. 🙂

Specific group (data_integrity) of users request permissions to edit Phone field on the Location form. However,  the Location is not editable for users due to the ACL which allows to edit Location only users with the security_admin role. We cannot give security_admin role to the data_integrity group users. I created custom ACL for the data_integrity group to edit the Phone field. But its not working. I think OOB ACL is taking over. Please, any bright ideas, suggestions how to achieve the goal.

Thank you in advance.

Images:

1. Custom cmn_locatio.phone  2. OOB cmn_location  3. Phone field to edit.

find_real_file.png

find_real_file.pngfind_real_file.png

 

Labels:
Preview file
23 KB
Preview file
24 KB
Preview file
30 KB
0 Helpfuls
  • 3,195 Views
1 ACCEPTED SOLUTION

Go to solution
Greg42
Mega Guru
In response to zzsrvnow

‎07-29-2018 05:09 AM

"The custom list edit ACL is evaluated successfully - all 3 circles are green (image below), however, the error message is still on. This is most strange things. The debug log says can write, but its not."

To be able to edit the list you need to pass three rules:
- table
- field
- edit list

It's fine that you pass the edit list but "it doesn't matter" as you fail the write rule which you can see on your previous image.

"The Location belongs to the Company. The Company page not editable too. Is it possible the Company level permissions flow to the Location and do not allow edit Phone field on the Location?"

Rules are always looked up, up to the global table. That is why it's tricky because if you deactivate one, a rule from other tables that you extend will be applied.

I think the easiest way you can try it out is to add a table, field and edit list rules with the data_integrity role. That should overwrite other rules and you should be able to edit the field.

Have a look in the docs for more details: ACL Rules and ACL Types.


Regards

Greg

View solution in original post

13 REPLIES 13

Go to solution
zzsrvnow
Giga Contributor
In response to Greg42

‎07-28-2018 09:29 PM

Yes, I'm also trying to figure out where is coming from the error message "Security prevents writing to this field"...

The custom list edit ACL is evaluated successfully - all 3 circles are green (image below), however, the error message is still on. This is most strange things. The debug log says can write, but its not.

Temporally I deactivated the table level OOB cmn_location ACL I mentioned in my initial post which is locking write operation except for the security_admin and admin roles.  Didn't work - the error message is still on.

 

Now I'm thinking...

The Location belongs to the Company. The Company page not editable too. Is it possible the Company level permissions flow to the Location and do not allow edit Phone field on the Location?

 

find_real_file.png

Preview file
22 KB
Preview file
26 KB
0 Helpfuls

Go to solution
Greg42
Mega Guru
In response to zzsrvnow

‎07-29-2018 05:09 AM

"The custom list edit ACL is evaluated successfully - all 3 circles are green (image below), however, the error message is still on. This is most strange things. The debug log says can write, but its not."

To be able to edit the list you need to pass three rules:
- table
- field
- edit list

It's fine that you pass the edit list but "it doesn't matter" as you fail the write rule which you can see on your previous image.

"The Location belongs to the Company. The Company page not editable too. Is it possible the Company level permissions flow to the Location and do not allow edit Phone field on the Location?"

Rules are always looked up, up to the global table. That is why it's tricky because if you deactivate one, a rule from other tables that you extend will be applied.

I think the easiest way you can try it out is to add a table, field and edit list rules with the data_integrity role. That should overwrite other rules and you should be able to edit the field.

Have a look in the docs for more details: ACL Rules and ACL Types.


Regards

Greg

Go to solution
zzsrvnow
Giga Contributor
In response to Greg42

‎08-02-2018 06:10 AM

Thank you, Greg as well as tnargay.  

 Your "It's fine that you pass the edit list but "it doesn't matter" as you fail the write rule which you can see on your previous image."...

This is what I was missing. Now I got it working. Thank you.

In addition, if someone like me. :)))) will look for ACL answers, here is the link. https://developer.servicenow.com/app.do#!/lp/servicenow_application_developer/app_store_learnv2_securingapps_jakarta_to_or_not_to?v=Jakarta 

Go, read it and it will give you clear ACL rules understanding...

Also, I like to say thank you to all in the thread for attention to my question and suggestions. Thank you, guys. 🙂 

 

0 Helpfuls

Go to solution
Greg42
Mega Guru
In response to zzsrvnow

‎08-02-2018 06:17 AM

No worries. I remember when I got stuck on this. I remember having a call with SNow about when it was explained to me like that. Since then I remember the "trinity access" whenever I have issues with lists. I don't think it's documented even now - or is buried somewhere "there".

Anyways glad we could help.


Regards

Greg