Problems with ACL and UI policies

Mikolz · ‎08-13-2012

Hi everyone....how do UI policies and ACL's interact? Specific example...

I have created a confidental text box area that appears/dissapears in real-time with a UI policy when a certain assignment group is entered. This is for our HR users that have sensitive information that needs to be included in the ticket and the group they are assigning to will be handling these tickets This seems to be working good....atleast for now.

After the ticket has been submitted....I need to place some security on that confidental text box. I figured a read ACL would be the best option. Only the person who opened the ticket (caller_id) or a person who is part of our HCM Support group should be aloud to see this information. This works good...for now.

Heres the problem I am having....the ACL and UI policy do not seem to be working together. When the ACL is on, the UI policy does not work. When I enter the group into the assignment group field, the box does not appear. If I turn the ACL off, it does...so I know the two must be conflicting.

Also, when a user submits a ticket, I have a client script that is checking the assignment group field....if it is a certain group, I have a true/false (checkbox) field called confidental that is being set to true upon submittion. In my ACL I am referencing that field, so I only want the ACL security to apply when this box is checked. Here is the code for that:


if(current.u_private == true)
{
answer = gs.getUser().isMemberOf("HCM Support") || gs.getUserID() == current.caller_id;
}

Is it possible for UI policies and ACL's to work in conjunction in my case? Maybe someone can shed some light on this issue. Thanks!

James_Neale · ‎08-16-2012

I think the first thing that needs to be made clear is the distinction between UI Policies and ACL's. Whilst they may appear to be doing the same thing, they are actually very different.

UI Policies are generally used to change the visibility, the read state, and/or the mandatory state based on a field value in the browser. The main point is they are *client side* scripts.

ACL's are all about security and locking down records and fields. The main point is they are *server side* scripts.

The two never interact with one another. ACL's run on the server to determine what to send to your browser, and the UI Policies run on your browser to determine what to show you.

Normally, the first thing I would recommend you do in order to resolve your issue is turn off your UI policies and get the ACL rule to work on its own. This way, you can prove that the field is being sent to the client *ONLY* in the correct circumstances that are met by your rule. It will also make it easier to debug your rule because you aren't working against your UI Policies.
Once you have this nailed down, you can focus on the UI Policy to make it pretty for the end user.

Now I've explained all of that(!), I think you might find that the reason it isn't working is because you have not provided an answer for all scenarios in the ACL rule script. Because you have provided a script, the server will want to see a result of true in order for it to authenticate. In your script, if current.u_private is not true, then the script is returning nothing - aka false - hence no authentication and your form is not working.

You need to use:



if(current.u_private == true)
{
  answer = gs.getUser().isMemberOf("HCM Support") || gs.getUserID() == current.caller_id;
} else {
  answer = true;
}

I would also reconsider the use of the private checkbox field. You could just as easily do a check on the field itself


if (current.u_private_field != '') {...}

If it still isn't working, I can only recommend you follow the steps I gave and focus on getting the ACL rule working.

Mikolz · ‎08-17-2012

Ahh what simple change....I feel kinda dumb not accounting for when u_private was false...pretty obvious now. THey are working together. Thanks a bunch!