OOB ACL and Custom ACL Iteraction

zzsrvnow · ‎07-27-2018

Hello People. 🙂

Specific group (data_integrity) of users request permissions to edit Phone field on the Location form. However, the Location is not editable for users due to the ACL which allows to edit Location only users with the security_admin role. We cannot give security_admin role to the data_integrity group users. I created custom ACL for the data_integrity group to edit the Phone field. But its not working. I think OOB ACL is taking over. Please, any bright ideas, suggestions how to achieve the goal.

Thank you in advance.

Images:

1. Custom cmn_locatio.phone 2. OOB cmn_location 3. Phone field to edit.

Greg42 · ‎07-29-2018

"The custom list edit ACL is evaluated successfully - all 3 circles are green (image below), however, the error message is still on. This is most strange things. The debug log says can write, but its not."

To be able to edit the list you need to pass three rules:
- table
- field
- edit list

It's fine that you pass the edit list but "it doesn't matter" as you fail the write rule which you can see on your previous image.

"The Location belongs to the Company. The Company page not editable too. Is it possible the Company level permissions flow to the Location and do not allow edit Phone field on the Location?"

Rules are always looked up, up to the global table. That is why it's tricky because if you deactivate one, a rule from other tables that you extend will be applied.

I think the easiest way you can try it out is to add a table, field and edit list rules with the data_integrity role. That should overwrite other rules and you should be able to edit the field.

Have a look in the docs for more details: ACL Rules and ACL Types.

Regards

Greg

View solution in original post

puneetgoels1 · ‎07-27-2018

Please use the debug ACL to verify if your ACL is correct. By default if any of the ACLs return true it should be true and does not matter if oob has returned false

below video will be helpful in understanding how to debug ACLs

https://youtu.be/W0PMNRIU628

Prateek kumar · ‎07-27-2018

I think you trying to edit from the list view. If this the case, aren't you supposed to see the list_edit ACL for that field.?

Please mark my response as correct and helpful if it helped solved your question.
-Thanks

zzsrvnow · ‎07-28-2018

Thank you so much for your help with video and response. ACL Debug log didn't show useful info... I think. First, for phone field it display OOB cmn_location/write with no permissions edit phone field, after that, my custom ACL cmn_location.phone all gryed out. It says the custom ACL even is not evaluated.

If I click on field Watch icon it shows for these ACLs accordingly true and false. This is my first ACL, the debug info doesn't say much to me. If you understand what is behind the Debug info, could you please share your thought with me.

Also, if you do not mind, why it shows "Result Cache True" OR just "Result True"? Really appreciate your help. Thank you.

zzsrvnow · ‎07-28-2018

Thank very much for the direction. That's a great idea! I have created cmn_location.phone ACL to edit phone from the list. However, the result is the same. It keeps saying "Security prevents writing to this field" Even ACL debug log shows 3 green evaluations. As it was said in the video above offered kindly to me, I'm assuming, the green evaluations (circles) are the Role, Condition, and Script. I do not know about 4th grayed out evaluation(circle). Any idea, what is keeping out the access to the Phone field, please?