Record vs table level acls when script attached
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2025 06:42 AM
I have the following ACL script on the sectest table(inside 1st row acl in above image for the read operation):
var user = gs.getUser(); if (user.hasRole("sn_cmp.cloud_service_designer") || current.sys_created_by == gs.getUserName() || user.hasRole("sn_cmp.cloud_governor") || user.hasRole("sn_cmp.cloud_admin") || user.hasRole("sn_cmp.cloud_operator") || current.isNewRecord()) answer = true; else answer = new CMPCheckPermission().checkPermission(current.getTableName(), current.getValue("sys_id"), gs.getUserID(), "read");
Since this script uses current, I understand it functions as a record-level ACL. However, I would like to confirm whether this can also be considered applicable at the table level, or if the presence of current strictly makes it record-level only.
Now consider the following Java logic:
GlideRecord opSignatureGlide = new GlideRecord("sectest");
if (!opSignatureGlide.canRead())
{ AccessErrorHelper.throwAccessError(fLogger, AccessErrorHelper.OperationType.READ); } opSignatureGlide.addQuery("name", opSignatureName);
opSignatureGlide.query();
while (opSignatureGlide.next()) {
if (fLogger.isDebugEnabled()) fLogger.debug("Glide record for operation signature exists with name: " + opSignatureName); operationSignatureDTO = convertGlideRecordToOpSignatureDTO(opSignatureGlide); }
My concern is that since the only ACL on the table is the record-level ACL that uses current, calling canRead() before the loop may not behave as expected.
I understand that canRead() evaluated before next() only checks for table-level ACLs. And since there is no explicit table-level ACL defined (no ACL with name .*), this check might return false even though the user has record-level access due to the script.
Therefore, should I avoid using canRead() before the query loop in such a scenario?
Would it be correct to say that a record-level ACL using current does not replace a proper table-level ACL, and that if no table-level ACL exists, then canRead() should not be used before the loop?
Let me know if this understanding is correct.
And if record is defined in my acl then where to define table level acl? how to distinguish?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2025 07:01 AM
As far as I know, both table-level and record-level ACLs function similarly. There’s no such thing as an explicit table-level ACL. Setting table.none will validate access on each individual record. In the list view, it applies to all records, but only those the user is authorized to access will be displayed.
Regards,
Siva
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2025 07:12 AM
if i use gr.canRead before while loop and as mentioned script is attached which uses current then will it give unpredictable result as current not yet loaded?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2025 07:20 AM
May I know where you are using this Java logic??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2025 07:33 AM
means?
I am using in my code which gets triggered by an action
GlideRecord opSignatureGlide = new GlideRecord("sectest");
if (!opSignatureGlide.canRead())
{ AccessErrorHelper.throwAccessError(fLogger, AccessErrorHelper.OperationType.READ); } opSignatureGlide.addQuery("name", opSignatureName);
opSignatureGlide.query();
while (opSignatureGlide.next()) {
if (fLogger.isDebugEnabled()) fLogger.debug("Glide record for operation signature exists with name: " + opSignatureName); operationSignatureDTO = convertGlideRecordToOpSignatureDTO(opSignatureGlide); }