- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2024 09:14 AM
Hello All,
I have a fairly simple process I am trying to figure out pertaining to ACLs, but for the life of me I can't get it working and lean on your combined expertise for help.
I am working in the alm_asset table and the requested functionality is lock the table fields down to admin only with the exception of one field "State" (install_status). We would want, for the moment, our itil uses to be able to edit this field so they can move items from In stock to In use and such during the configuration and reclamation processes.
My understanding of ACL's is that they flow from Field level -> Wildcard level -> Table level. so my configuration is as such:
alm_asset.None - Granted to Admin and Itil
alm_asset.* - Granted to Admin only
alm_asset.install_status - Granted to Admin and Itil
As far as I can tell, this should allow permissions to the itil role to write to that field before denying access at the wild card to the entire table. However, I am still seeing users with Itil permission able to edit the entire alm_asset table.
When I run the Access Analyzer on the user for the field it is passing alm_asset and alm_asset.install_status, but not even registering the alm_asset.*.
So my overall question is, is my approach wrong? Or am I missing something simple with the configuration here?
Thanks!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2024 12:10 PM
@zerofidelis1 The approach seems okay to me and in ideal scenario it should work. Please check if there are more than one wildcard field ACLs defined on the alm_asset table one of which could be granting the access to the ITIL user,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2024 12:10 PM
@zerofidelis1 The approach seems okay to me and in ideal scenario it should work. Please check if there are more than one wildcard field ACLs defined on the alm_asset table one of which could be granting the access to the ITIL user,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2024 01:13 PM
Thanks for validating. So far I do not see any other alm_asset.* write permissions anywhere in the ACL table. I checked for alm_hardware as well as technically that is where these records are housed.
The thing that keeps getting me is the fact that the analyzer doesn't show it hitting the alm_asset.* at all, is there any reason this would be the case? We are working out of Vancouver if that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2024 12:44 PM
Hi,
Review that following:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2024 01:46 PM
Appreciate the help all, I just realized my "kick yourself" solution. That ACL structure was actually working as expected, I was so hung up on that single field I didn't stop to realize that I had a number of other field ACL's that someone else had configured that were messing with all of these, so while it looked like the ACL wasn't applying, it actually was, I just need to deal with all these extra field ACL's.
Thanks!
