ACLs and deleting attachments

Brett Watson · ‎10-24-2022

Kia ora,

Hoping for some advice on an ACL query (or might need to resort to business rules). I've read a number of community posts and none of them seem quite right.

The business requirement is for users to not be able to delete attachments and not view attachments if they are not the creator.

In more detail:

1. Add an attachment when creating a case (as well as editing the fields on the form)

2. Able to add comments and attachments to case via service portal after it is created

3. View only for attachments they have added to the case, i.e. no permission to delete or edit attachments

4. No view access for attachments added to the case if they are not the creator

Is it possible using ACLs?

Alternatively, have seen Business Rules recommended, but think it involves DOM manipulation.

Any advice would be really appreciated.

Thanks,

Brett

OlaN · ‎10-28-2022

If there are no delete ACL in place (if you removed them) then anyone who can access the record, can also delete it.

You should think in terms of "who do you want to allow this to" when creating/modifying ACLs.

Create or modify OOB ACLs, so that only users specified can perform the delete in this case.

Same thing goes if there are multiple ACLs that grant the same thing, if a user passes the first ACL, that grants rights to perform some action, then no other ACL can be created that prohibits the same user from that action, because it has already been granted.

View solution in original post

joyceelynn · ‎10-23-2024

Hi @OlaN, I had deactivated all delete ACL for sys_attachment but user is still not able to see 'remove' option when clicked on the attachment, do you know why?

OlaN · ‎10-24-2024

Hi joyceelynn,

No, I don't know why, but my first guess would be a caching issue.
Try clearing the cache and see if it works as expected after that.

OlaN · ‎10-24-2022

Hi,

This requirement might have some unwanted implications.

Suppose you are using Knowledge management.

Person A creates a KB, and attaches some files to this KB.

After a while, person A leaves the company and person B is assigned to take over all KBs produced by A.

Then person B cannot edit or delete any of the attachments in KBs created by A.

Same thing will happen throughout the entire platform regardless of table, if you have a generic ACL that prevents anyone but the creator of the attachment to delete it.

I would think carefully and evaluate pro/con before proceeding with such a solution.

Brett Watson · ‎10-27-2022

Thanks OlaN, really good point!

Thankfully, I think it will be ok in this particular case, but will definitely make sure we test for this and put something in place if needed.