Create an asset team who can not write to certain fields

Nicholas Hromya · 4 weeks ago

We have an asset team who has the asset role.

I want another team who has similar roles, but can only read:

o Assigned to
o Serial Number
o Asset Tag
o Model
o Configuration Item
o Comments

I thought I could give this new group asset role and set a client script if they are in this group, they can only read these fields. I haven't been able to get this to work. I tried alm_asset.ci and just ci. Doesn't seem to work.

Other ideas?

Thanks

Nick

Nicholas Hromya · 3 weeks ago

I changed the group name to the sys_id of the group. That seems to have helped. Some fields are set to read only and others are not. I think I need to find the correct field name.

Nicholas Hromya · 3 weeks ago

I am finding the user in the new group (that should have read only) can still write to assigned_to and comments. It appears these are indeed in the alm_asset table therefore I tried alm_asset.assigned_to and alm_asset.comments. This did not work. 😞

Nicholas Hromya · 3 weeks ago

I tried a UI policy on the HAM workspace, but this didn't work either. The user in the group could still write to the comments and change the assigned_to. 😞

lauri457 · 3 weeks ago

Keep in mind that any restriction client side is easily circumventable. If you need true restriction then you need to use e.g. acls and a new role

Fairly simple to work out what you need to do using the access analyzer