ACL Question: <tablename> vs <tablename>.* ???

howard8 · ‎02-10-2014

Hi All,

Sorry if this is a silly question but I have read the wiki and still don't understand the difference between 2 types of ACL rule. What's the difference between <table> and <table>.* when used in an ACL. My instance seems to have both rules repeated on several tables and I don't understand if one is incorrect or if they serve different purposes. Maybe I have missed something in the wiki. If someone can explain it, maybe with an example, I would really appreciate it.

Thanks in advance.

Howard Elton.

david_legrand · ‎02-10-2014

Hi Howard,

It's not a silly question and in fact it's easy to understand when you know it

I'm usually use an "image" of an house with rooms to explain it.

Your record (table.none) is an house

table.* means all the rooms

table.comments is one precise room (living room) of the house

So I'm a painter and you asked me to paint your living room.

You give me write access to table.* but not to table.none, that means I'll be able to modify fields (enter into the living room) BUT I won't be able to save the information (enter into the house).

And as I'm very polite, I won't try to enter by breaking the windows, so please if you want me to paint your living room, give me an access to your house.

Btw, take care of giving table.* because you're letting me doing the access (reading / writing) of all the rooms of the house and sometimes we prefer to let some doors closed like the "office room" because we have private information there and I shouldn't (as a painter) have an access to these information.

In that specific case, I'll give my painter:

house.none write access
house.living_room write access
BUT not house.*

Hope this little explanation makes the things clearer, if not feel free to ask again

View solution in original post

Jace Benson · ‎02-10-2014

Howard,

The difference between the two acls are as follows (I'm going to use incident to be specific)

incident write allows the users to write the to the record

incident.* allows/disallows the users to write to the fields

incident.number allows/disallows the users to write to the field number

Specific ACLs trump less-specific ACLs, so if say you had the role itil associated with the incident write acl, and itil associated with incident.* then you had admin only on incident.number the following would be true;

An ITIL user can update an incident and all fields except number

An Admin user can update all incident fields.

howard8 · ‎02-10-2014

Hi Jace,

I am not sure that I understand the distinction between writing to the record and being able to write to all the fields. I understand how it works with incident.number because it is specific, but isn't writing to the record and writing to any field, the same thing. The penny hasn't dropped yet sorry.

david_legrand · ‎02-10-2014