ACLs for fields of different scope aren't working

Xarielah6351749 · 3 weeks ago

Hello,

Given the HR Lifecycle Event (sn_hr_le_case) table, I have applied 2 wildcard ACLs:

1. "sn_hr_le_case.*" with condition "HR Service is 123" that allow all fields only if the script returns true.

2. "sn_hr_le_case.*" with condition "HR Service is NOT 123", that is just the wildcard out of the box one.

Then added few field ACLs with condition "HR Service is 123" and generically allow access for snc_internal role and they show as expected.

The problem is with custom fields that were created for the HR LCE Case table but with a different scope - "Agent Workspace for HR Case Management", those ACLs just don't work and they are shows as orange "Passed" when using Access Analyzer.

Anyone experienced that?

pavani_paluri · 3 weeks ago

Hi @Xarielah6351749 ,

ACLs are scope‑aware. They only apply to fields in the same application scope.
If a field is created in another scope, ACLs from your current scope won’t control it.
That’s why your wildcard ACL (sn_hr_le_case.*) doesn’t catch those custom fields.

Switch to the Agent Workspace for HR Case Management scope.
Create ACLs for those custom fields in that scope, using the same conditions you already use.
Make sure the right roles (like snc_internal) are included.
If you want one ACL to cover everything, you’ll need to duplicate the wildcard ACL in each scope where fields exist.

Mark it helpful if this helps you to understand. Accept solution if this give you the answer you're looking for

Kind Regards,

Pavani P

Xarielah6351749 · 3 weeks ago

I did create a READ ACL per each field in their own correct scope, the fact is that this ACL per each field is not working and not exposing the field, I was also creating per-field ACL in the table's scope and those did work and expose the fields - since they are the same configuration, I'm assuming since the fields that aren't in the same scope as their table, their ACLs just getting skipped