Restricting view of Incidents (ACL)

jayson5 · ‎06-09-2016

Hello Community,

The Incident form has a lot of ACLs, However I need to lock down All HR Incidents to users with an HR Role...I've put the following in for a Read ACL, however it locks everyone out of the Incidents

if the "Functional Area" = Human Resources I want to restrict those Incidents to only users with that role

ACL Script:

current.u_functional_area = 'HUMAN RESOURCES';

Requires Role:

HR

Deepak Ingale1 · ‎02-06-2017

Hi Ernest,

This would be possible, what we might require to put some conditions in query business rule like

if ( !gs.hasRole()) {

current.addQuery('watch_list','CONTAINS',gs.getUserID())

.addOrCondition('opened_by',userNameGoesHere()) // may be gs.getUser().getDisplayValue() not sure though

}

else {

get above query data + customized query as per requirement ;

}

erniec · ‎02-06-2017

if ( !gs.hasRole()) {

current.addQuery('watch_list','CONTAINS',gs.getUserID())

.addOrCondition('opened_by',CONTAINS',gs.getUserID());

else {

if (!gs.hasRoleFromList("ABC,admin")){

current.addQuery('category,'!=','COMPUTERS');

}

The first if statement evaluates correctly, but the second one restricts tickets with category of computer for users with both roles.

rajeevlochan82 · ‎06-09-2016

Hi Deepak,

I like you recommendation too..I have one question . If we try to access Records using API then will Query BR restrict these records ? I did not get change to test it myself so checking if you ever have this scenario ?

Thanks

Deepak Ingale1 · ‎06-09-2016

Hi Rajeev,

Good point, I have not tried it either but I guess it should block the access.

I am checking it what happens with integration user if it tries to access or fetch record.

Deepak Ingale1 · ‎06-09-2016

Hi Rajeev,

I have tested and found query business is respected from security point of view when it comes to API calls . So it is not just an ACL