ACLs and deleting attachments

Go to solution
Brett Watson
Tera Contributor

‎10-24-2022 09:04 PM

Kia ora,

 

Hoping for some advice on an ACL query (or might need to resort to business rules). I've read a number of community posts and none of them seem quite right.

 

The business requirement is for users to not be able to delete attachments and not view attachments if they are not the creator.

 

In more detail:

1. Add an attachment when creating a case (as well as editing the fields on the form)

2. Able to add comments and attachments to case via service portal after it is created

3. View only for attachments they have added to the case, i.e. no permission to delete or edit attachments

4. No view access for attachments added to the case if they are not the creator

 

Is it possible using ACLs?

 

Alternatively, have seen Business Rules recommended, but think it involves DOM manipulation.

 

Any advice would be really appreciated.

 

Thanks,

Brett

 

0 Helpfuls
  • 1,767 Views
1 ACCEPTED SOLUTION

Go to solution
OlaN
Giga Sage
Giga Sage
In response to Brett Watson

‎10-28-2022 04:28 AM

If there are no delete ACL in place (if you removed them) then anyone who can access the record, can also delete it.

You should think in terms of "who do you want to allow this to" when creating/modifying ACLs.

Create or modify OOB ACLs, so that only users specified can perform the delete in this case.

 

Same thing goes if there are multiple ACLs that grant the same thing, if a user passes the first ACL, that grants rights to perform some action, then no other ACL can be created that prohibits the same user from that action, because it has already been granted.

View solution in original post

8 REPLIES 8

Go to solution
H_9
Giga Guru

‎10-24-2022 09:46 PM

Hello,

You can,

1. Check the delete type of acls on the sys_attachment table

2. If any exists then you can either edit it or create a new acl

3. Here since I cant see the acls on your instance, I would suggest to go by creating a new acl

4. In Conditions: Table Name = <Name of your case table> 

5. In that acl put the following condition:

if (current.sys_created_by != gs.getUserID()) {
answer = false
}

This will restrict the user who have not created the attachment on your case table from deleting it.

(Note: Here we are only checking if the user is not a creator of the attachment, if you want to compare with the creator of the case then simply you will have to take the case sys id from "table_sys_id" column from the sys_attachment table and then you will have to glide to the case table and from there take the creator's sys_id and then compare with the currently logged in user.)

 

Secondly, to restrict the users from reading the attachment as well, you will have to create "Read" type acl, similar to above.

 

Please mark the answer correct if my explanation helps you. 🙂

Thanks. 🙂

Go to solution
Brett Watson
Tera Contributor
In response to H_9

‎10-27-2022 02:36 PM

Thanks so much for the detailed reply, really appreciate it.

 

I did try removing delete ACL on sys_attachment table and they were still able to delete the attachments on their cases. When I looked with ACL debug it looks like they are able to delete because they have Write permission on the table where the case sits - Privacy table.

 

From your understanding, does it make sense that having Write permission on the Privacy table would let you Delete attachments on cases in that table?

 

If I remove that write permission they can't delete the attachments after the case is submitted, but they also can't attach new ones or add comments.

 

So, I need an ACL or ACLs which let them add comments and new attachments but doesn't also give them ability to delete.

 

Thanks again,

Brett

0 Helpfuls

Go to solution
OlaN
Giga Sage
Giga Sage
In response to Brett Watson

‎10-28-2022 04:28 AM

If there are no delete ACL in place (if you removed them) then anyone who can access the record, can also delete it.

You should think in terms of "who do you want to allow this to" when creating/modifying ACLs.

Create or modify OOB ACLs, so that only users specified can perform the delete in this case.

 

Same thing goes if there are multiple ACLs that grant the same thing, if a user passes the first ACL, that grants rights to perform some action, then no other ACL can be created that prohibits the same user from that action, because it has already been granted.

Go to solution
Brett Watson
Tera Contributor
In response to OlaN

‎10-30-2022 01:15 PM

Thanks again. I can't believe I forgot ACL 101s, too much time working with other systems maybe.

 

Your explanation is super clear, really appreciate it.

0 Helpfuls