ACL Not Working

mdshahvez11 · 4 weeks ago

Hello Everyone,

Earlier, we had created a few ACLs in both Dev and Prod environments to ensure that users can only view the tickets of the groups they are a part of.

However, while testing the scenario, we noticed that users are able to see tickets from all groups, even if they are not members of those groups.

I’m attaching the screenshots of the ACLs for reference , where filter condition is : Assignment group - is one my group

RaghavSh · 4 weeks ago

I believe for this you will have to write the script by clicking advanced:

answer = false;
if(gs.getUser().isMemberOf(current.assignment_group))
answer = true;

Applies to just filter the list of records but do not restrict.

Raghav
MVP 2023
LinkedIn

Satyam123 · 3 weeks ago

tried this but it did not worked

RaghavSh · 3 weeks ago

Then you probably have some conflicting table level ACL, which is providing access.

If there are 2 "Allow if" ACLs on a table then if user fulfil the conditions of 1 ACL, the access is provided.

Make sure the use does not have admin role because this ACLs are admin override checked.

Alternatively user Debug security rules and check which ACL is providing the access.

Raghav
MVP 2023
LinkedIn

Rafael Batistot · 4 weeks ago

Hi @mdshahvez11

May you try via Business Rule Before Query

How to restrict a specific group incidents to only its group members - Support and Troubleshooting