acl restrict cmdb_ci to support_group

web48f · ‎06-19-2024

I have a story to restrict read access on: cmdb_ci.list for a certain group to only those rows that the logged in user is a member of the support_group of. By default any logged in user can see the whole list. I updated the default cmdb_ci read acl to include:

if (gs.getUser().hasRole('certain_group')) {

answer = false;

}

I have a read acl for cmdb_ci with the appropriate role and the script:

answer = gs.getUser().isMemberOf(current.support_group.getDisplayValue());

however when the user visits cmdb_ci.list they get a result of only: Number of rows removed from this list by Security constraints: 20

They do not see the 86 CIs that they should see.

If I then apply the filter of support_group = their goup, i get the list of 86 CIs that they are the support group for.

Why does the acl work when I apply the filter, but when I try and look at the whole table it doesnt show the true results? I expect when looking at cmdb_ci without any filters the table acls would apply to every ci, and therefore weed out the ones I cant see, but I could be hitting some kind of limit since the base table is very large.