Why Can't I Add Roles To An ACL?

David165 · ‎07-18-2019

Hi

I'm trying to add required roles to an ACL in Studio, but the system won't allow me to do it.

Without elevating my role to include security the entire ACL is read-only, as expected. When I elevate my account, I can edit the ACL and I have the option to insert another role in the Required Roles. But when I try to do this I get a message that "Security prevents writing to this field"

Another thread suggested turning on security debugging, which I did. However, with debugging turned on there's no option to add new roles even though my permissions are still elevated:

There are also no red entries in the debug log to indicate a security issue.

Is this a bug?

How can I achieve the same thing directly in the system tables?

BTW I have tried both Chrome and Firefox and cleared all session data and cookies to rule out browser issues.

Regards

David

Oleg · ‎07-21-2019

Hi David,

I think I understand now your original problem. It was a misunderstanding. I suppose that you clicked on the first column (Created by [sys_created_by]), where nobody has write permission by default. You should click on the second column to insert the Role:

One can modify default ACL (*.sys_created_by) for Created by [sys_created_by] column

but it's not recommended, or you can add new write ACL on sys_security_acl_role.sys_created_by (which is not recommended too).

If you find comfortable to display Created by [sys_created_by] in Requires role list then you can add it as the second column (after the Role). It will provide probably less misunderstandings.

By the way, even if you would click in the first column (on "Insert new row.." text) then you will get the following picture:

where the line with existing ACL and the column headers are not gray. If you compare the last picture with the picture, which you posted in your question you will see that your picture was done with disabled Elevated Roles.

Regards
Oleg

View solution in original post

David165 · ‎07-18-2019

Hi Oleg

I didn't do additional steps and I tested the solution by adding "Created By" back into the list to recreate the problem. Try it, I'm sure you'll see the same issue.

Regards

David

Oleg · ‎07-21-2019

Hi David,

I think I understand now your original problem. It was a misunderstanding. I suppose that you clicked on the first column (Created by [sys_created_by]), where nobody has write permission by default. You should click on the second column to insert the Role:

One can modify default ACL (*.sys_created_by) for Created by [sys_created_by] column

but it's not recommended, or you can add new write ACL on sys_security_acl_role.sys_created_by (which is not recommended too).

If you find comfortable to display Created by [sys_created_by] in Requires role list then you can add it as the second column (after the Role). It will provide probably less misunderstandings.

By the way, even if you would click in the first column (on "Insert new row.." text) then you will get the following picture:

where the line with existing ACL and the column headers are not gray. If you compare the last picture with the picture, which you posted in your question you will see that your picture was done with disabled Elevated Roles.

Regards
Oleg

Oleg · ‎07-18-2019

Sorry, David, but is could be not the solution of your problem, which you described before. You will never get message like "Security prevents writing to this field" and other problems, which you described. I'm sure that you did other additional steps to be able to write ACL.

David165 · ‎07-21-2019

Hi Oleg

Thanks for the follow-up. When I checked the screenshots I'd taken at the time I could see that was exactly what I'd done. Now I feel really embarrassed to have made such a daft mistake.

Regards

David

Ian N · ‎07-20-2023

I found this thread because I thought I could not add roles to an ACL.

The + is greyed out and "Insert a new row..." is purplish-grey.

It turns out you have to double click on "Insert a new row..." to add a role. Simples.