Restrict an Account Configured as Web Service Access Only to read a specific filter in User table

JR Oliver · 3 weeks ago

Hi Everyone,

I have an account configured as Web Service Access Only.
I want this account to be able to have read only access in our User record with a specific filter e.g. AD Account Type = User

I created a custom role and added it to this account.

I also created an ACL

Type: Record

Operation: Read

Decision Type: Allow if

Name: sys_user*

Role: The custom role that I created.

Data Condition: AD Account Type = User.

However, I added the custom role to a new user(without any role), Impersonated it but I am still able to read All records in our User Table.

Appreciate your insights on this.

JenniferRah · 3 weeks ago

As soon as you login as the new user, it will add the snc_internal role to that user, which is probably what is allowing it to read all the roles. You'll need to have a clean user (no roles) set up as Web service access only and then run a REST call as that user to fully test your ACL.

Also, you will need a Read ACL for the record (sys_user) and for the fields (sys_user.*) if you want the user to be able to see the fields on the record.