ACL requiremnet is not working for me

desaiakash0
Tera Contributor

‎08-23-2025 10:07 PM

Hi Team,

 

I'm practising one senario o ACL 

Senario: Only spefic group memebers can see/edit/write  the P1  Incidents other groups memebrs cannot see the P1 incidents.
I tried using

1) table.none  

2) assigne role to ACL

3) write a script 
Still it's not working can someone helpe me to achieve this senario 

 

Thanks,
Akash

0 Helpfuls
  • 355 Views
3 REPLIES 3

Mark Manders
Mega Patron

‎08-25-2025 12:49 AM

Use a simple 'deny unless' read/write ACL. Apply to as P1 and use a security attribute (for the group) to get it done. Why assign a role? Your scenario doesn't specify anything about a role.

 

And for future reference: if you say "I tried a script but it didn't work" always add the script and the outcome of the script. There's a huge difference if the ACL prevented everyone from seeing the P1 incidents, or it was granting access to everyone.


Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
0 Helpfuls

Rafael Batistot
Kilo Patron

‎08-25-2025 01:05 AM

Hi @desaiakash0 

 

Use a table-level ACL with a script checking priority == 1 and gs.getUser().isMemberOf(group) for access

 

You don’t need to overcomplicate this, ACLs on incident.priority won’t solve it because you want to restrict based on record data (priority = 1) + group membership.

 

Here’s the direct way to do it:

 

  1. Go to System Security > Access Control (ACL).
  2. Create a new ACL on the incident table (read/write/update).
    • Type: record
    • Operation: read (repeat for write/update)
    • Name: incident.*
  3. In the Advanced script of the ACL, add logic like this:

// Allow only members of specific group(s) to access P1 Incidents
(function executeRule(current, previous /*null when async*/) {

// Check if the record is P1
if (current.priority == 1) {
// Replace with your group sys_id
var allowedGroup = 'YOUR_GROUP_SYS_ID';

// Check if user is in that group
if (gs.getUser().isMemberOf(allowedGroup)) {
return true; // allow
}

 

 

  1. Make sure to uncheck “Requires role” if you’re controlling only by script, otherwise it may block unintentionally.

 

Important: You need to apply this ACL for read, write, and update separately. If you only put it on write, users may still see P1s.

0 Helpfuls

Mark Manders
Mega Patron
In response to Rafael Batistot

‎08-25-2025 03:16 AM

Please tell me why you are using a script for this? Security attributes are there for a reason. No need for scripting in ACLs if you want a groupmembership.  And why on earth would you script in an ACL to check if the incident is on P1? You have conditions to do this and even an applies_to field. 

Scripting is absolutely unnecessary for this use case and a 'deny unless' acl is way better than an allow if in this case.


Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
0 Helpfuls