OOB ACL and Custom ACL Iteraction

Go to solution
zzsrvnow
Giga Contributor

‎07-27-2018 04:58 PM

Hello People. 🙂

Specific group (data_integrity) of users request permissions to edit Phone field on the Location form. However,  the Location is not editable for users due to the ACL which allows to edit Location only users with the security_admin role. We cannot give security_admin role to the data_integrity group users. I created custom ACL for the data_integrity group to edit the Phone field. But its not working. I think OOB ACL is taking over. Please, any bright ideas, suggestions how to achieve the goal.

Thank you in advance.

Images:

1. Custom cmn_locatio.phone  2. OOB cmn_location  3. Phone field to edit.

find_real_file.png

find_real_file.pngfind_real_file.png

 

Labels:
Preview file
23 KB
Preview file
24 KB
Preview file
30 KB
0 Helpfuls
  • 3,198 Views
1 ACCEPTED SOLUTION

Go to solution
Greg42
Mega Guru
In response to zzsrvnow

‎07-29-2018 05:09 AM

"The custom list edit ACL is evaluated successfully - all 3 circles are green (image below), however, the error message is still on. This is most strange things. The debug log says can write, but its not."

To be able to edit the list you need to pass three rules:
- table
- field
- edit list

It's fine that you pass the edit list but "it doesn't matter" as you fail the write rule which you can see on your previous image.

"The Location belongs to the Company. The Company page not editable too. Is it possible the Company level permissions flow to the Location and do not allow edit Phone field on the Location?"

Rules are always looked up, up to the global table. That is why it's tricky because if you deactivate one, a rule from other tables that you extend will be applied.

I think the easiest way you can try it out is to add a table, field and edit list rules with the data_integrity role. That should overwrite other rules and you should be able to edit the field.

Have a look in the docs for more details: ACL Rules and ACL Types.


Regards

Greg

View solution in original post

13 REPLIES 13

Go to solution
puneetgoels1
Tera Guru
In response to zzsrvnow

‎07-28-2018 11:21 AM

Please check the ACL for list edit, if it has the role which the user also have

Go to solution
zzsrvnow
Giga Contributor
In response to puneetgoels1

‎07-28-2018 01:30 PM

Do you mean if I added to the created ACL cmn_location.phone/list_edit the role user has. If so, yes I did. User has role data_integrity and I added to the ACL this role as well. It makes me crazy :))) but doesn't work. 😞

 

find_real_file.png

Preview file
59 KB
0 Helpfuls

Go to solution
zzsrvnow
Giga Contributor
In response to puneetgoels1

‎07-28-2018 01:33 PM

One thing...  I'm creating ACL on the TOP domain, maybe ACLs should be created on global domain? No?

0 Helpfuls

Go to solution
zzsrvnow
Giga Contributor
In response to puneetgoels1

‎07-28-2018 02:05 PM

Very sorry for being annoying  I see for list_edit Role, Condition and Script are evaluated, but  not evaluated some option named IAccessHandler (its on image below). If you know, what is it? Where to look? Is it possible somehow pass this guy's restrictions?  find_real_file.png

Preview file
145 KB
Preview file
143 KB
Preview file
142 KB
0 Helpfuls

Go to solution
Greg42
Mega Guru
In response to zzsrvnow

‎07-28-2018 07:07 PM

I would focus on the write error below on your image. To be able to pass the list edit you need to pass the list edit, write and table rule as well. Have a look if fixing the writing access will solve your problem.