ACLs and Views - having trouble getting specific fields to show in ESS view

Mickey_Cegon
Tera Expert

We have just recently started using the ESS homepage for our clients to be able to view their own Incidents and Requests. Currently, when they launch a record from their homepage, the Incident form is locked down. I would like to be able to allow clients to add Comments from the form, and see their comments in the Activity log as well. But, I can't seem to get the field to show up. All I get is the label. I added ACL for read/write/create and set the condition: caller_id = javascript:gs.getUserID()

But, when I impersonate an ESS user, I still can't see or edit the Additional Comments field. What am I missing? Is there something else, like the view that is locking the form down, so that I can't overwrite that with ACLs? We're still on June 11 version, not on Aspen yet. I know that the ACL stuff is changing, so maybe I should just wait until we upgrade, and then revisit this if I'm going to end up having to change it then.

16 REPLIES 16

Masha
Kilo Guru

You can turn on Security Debug which will give you an option to see what security rules are applied for the field. If you impersonate an ESS user you will be able to see if there are any security rules evaluate to false for that user. I would also check UI policies and client scripts (through global search if you have too many) to make sure none of them are setting your field to read only.

Also I had a question: what do you mean you only see a label? Is the greyed out box still there?


The Comments field only shows the header bar that says Additional Comments:, but the box below where you would type something is not there.. I turned on the debug, and the symbol doesn't show up on that field at all, does on all the rest of them. If I log in as admin, and just use the Self Service view, I can see the field, and the label says Additional Comments (Customer Visable): green box to type in is there. And, the debug says:
record/incident.comments/read = true (0:00:00.000)
record/incident.comments/write = true (0:00:00.000)
ROW : incident/write = true (0:00:00.000)
FIELD : incident.comments/write = true (0:00:00.000)

Here's the output of the log when I launch an incident as Joe Employee from the ESS homepage:

06:16:44:PM.550: TIME = 0:00:00.000 PATH = ui_page/incident/read RULE = (()) RC = true
06:16:44:PM.574: : query restricted to user: 681ccaf9c0a8016400b98a06818d57c7
06:16:44:PM.588: TIME = 0:00:00.000 PATH = record/incident/write RULE = ((((hasRole(itil) )))) RC = false
06:16:44:PM.589: TIME = 0:00:00.000 PATH = record/incident/create RULE = () RC = true
06:16:44:PM.589: TIME = 0:00:00.000 PATH = record/incident/create RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = true
06:16:44:PM.594: TIME = 0:00:00.000 PATH = record/incident/write RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = false
06:16:44:PM.594: TIME = 0:00:00.000 PATH = record/incident/write RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = false
06:16:44:PM.594: TIME = 0:00:00.000 PATH = record/incident/write RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = false
06:16:44:PM.594: TIME = 0:00:00.000 PATH = record/incident/create RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = true
06:16:44:PM.594: TIME = 0:00:00.000 PATH = record/incident/create RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = true
06:16:44:PM.594: TIME = 0:00:00.000 PATH = record/incident/write RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = false
06:16:44:PM.595: TIME = 0:00:00.000 PATH = record/incident/delete RULE = ((((hasRole(itil_admin) )) SEQ ((hasRole(admin) )))) RC = false
06:16:44:PM.595: TIME = 0:00:00.000 PATH = record/incident/write RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = false
06:16:44:PM.596: TIME = 0:00:00.000 PATH = record/incident/create RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = true
06:16:44:PM.596: TIME = 0:00:00.000 PATH = record/incident/create RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = true
06:16:44:PM.598: TIME = 0:00:00.000 PATH = record/incident/write RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = false
06:16:44:PM.598: TIME = 0:00:00.000 PATH = record/incident.number/read RULE = ((((hasRole(public) )))) RC = true
06:16:44:PM.599: TIME = 0:00:00.001 PATH = record/incident.number/write RULE = ((((hasRole(itil) ))) AND (((hasRole() AND script=false;)))) RC = false
06:16:44:PM.600: TIME = 0:00:00.000 PATH = record/incident.caller_id/read RULE = () RC = true
06:16:44:PM.600: TIME = 0:00:00.000 PATH = record/sys_user.u_name_id/read RULE = () RC = true
06:16:44:PM.600: TIME = 0:00:00.000 PATH = record/incident.caller_id/write RULE = ((((hasRole(itil) )))) RC = false
06:16:44:PM.603: TIME = 0:00:00.000 PATH = record/incident.opened_at/read RULE = () RC = true
06:16:44:PM.604: TIME = 0:00:00.001 PATH = record/incident.opened_at/write RULE = ((((hasRole(itil) ))) AND (((hasRole() AND script=false;)))) RC = false
06:16:44:PM.604: TIME = 0:00:00.000 PATH = record/incident.closed_at/read RULE = () RC = true
06:16:44:PM.605: TIME = 0:00:00.000 PATH = record/incident.closed_at/write RULE = ((((hasRole(itil) ))) AND (((hasRole() AND script=false;)))) RC = false
06:16:44:PM.606: TIME = 0:00:00.000 PATH = record/incident.state/read RULE = () RC = true
06:16:44:PM.606: TIME = 0:00:00.000 PATH = record/incident.state/write RULE = ((((hasRole(itil) ))) AND (((hasRole(itil,itil_admin) )))) RC = false
06:16:44:PM.607: TIME = 0:00:00.000 PATH = record/incident.short_description/read RULE = () RC = true
06:16:44:PM.607: TIME = 0:00:00.000 PATH = record/incident.short_description/write RULE = ((((hasRole(itil) ))) AND (((hasRole() )))) RC = false
06:16:44:PM.608: TIME = 0:00:00.000 PATH = record/incident.comments/read RULE = () RC = true
06:16:44:PM.608: TIME = 0:00:00.000 PATH = record/incident.comments/write RULE = ((((hasRole(itil) ))) AND (((hasRole() AND script=answer = true;)))) RC = false
06:16:44:PM.610: : query restricted to user: 681ccaf9c0a8016400b98a06818d57c7
06:16:44:PM.612: TIME = 0:00:00.000 PATH = record/incident.assigned_to/read RULE = () RC = true
06:16:44:PM.612: TIME = 0:00:00.000 PATH = record/sys_user.u_name_id/read RULE = Evaluated from cache RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.assignment_group/read RULE = () RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/sys_user_group.name/read RULE = () RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.comments/read RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.caller_id/read RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/sys_user.u_name_id/read RULE = Evaluated from cache RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.category/read RULE = () RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.subcategory/read RULE = () RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.cmdb_ci/read RULE = () RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/cmdb_ci.name/read RULE = ((((hasRole(itil) )))) RC = false
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.state/read RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.close_code/read RULE = ((((hasRole(itil) )))) RC = false
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.close_notes/read RULE = ((((hasRole(itil) )))) RC = false
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.closed_at/read RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.closed_by/read RULE = () RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/sys_user.u_name_id/read RULE = Evaluated from cache RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.impact/read RULE = () RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.urgency/read RULE = () RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.priority/read RULE = () RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.u_parent_incident/read RULE = () RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.number/read RULE = ((((hasRole(public) )))) RC = true
06:16:44:PM.613: TIME = 0:00:00.000 PATH = record/incident.work_notes/read RULE = ((((hasRole(itil) )))) RC = false
06:16:44:PM.654: : query restricted to user: 681ccaf9c0a8016400b98a06818d57c7
06:16:44:PM.815: TIME = 0:00:00.000 PATH = record/incident.u_comments_and_work_notes/read RULE = () RC = true
06:16:44:PM.816: TIME = 0:00:00.000 PATH = record/incident.u_comments_and_work_notes/write RULE = ((((hasRole(itil) )))) RC = false
06:16:44:PM.816: TIME = 0:00:00.000 PATH = record/incident.u_comments_and_work_notes/read RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = true
06:16:44:PM.816: TIME = 0:00:00.000 PATH = record/task/read RULE = () RC = true
06:16:44:PM.816: TIME = 0:00:00.000 PATH = record/task.comments/read RULE = () RC = true
06:16:44:PM.816: TIME = 0:00:00.000 PATH = record/task/read RULE = Evaluated from cache RC = true
06:16:44:PM.816: TIME = 0:00:00.000 PATH = record/task.work_notes/read RULE = ((((hasRole(itil) )))) RC = false
06:16:44:PM.820: TIME = 0:00:00.000 PATH = record/incident/write RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = false
06:16:44:PM.820: TIME = 0:00:00.000 PATH = record/incident/write RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = false
06:16:44:PM.820: TIME = 0:00:00.000 PATH = record/incident/create RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = true
06:16:44:PM.820: TIME = 0:00:00.000 PATH = record/incident/create RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = true
06:16:44:PM.820: TIME = 0:00:00.000 PATH = record/incident/write RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = false
06:16:44:PM.820: TIME = 0:00:00.000 PATH = record/incident/delete RULE = Evaluated from cache for sys_id :2268d14f877b580036915cb4ba434d23 RC = false


Masha
Kilo Guru

06:16:44:PM.608: TIME = 0:00:00.000 PATH = record/incident.comments/write RULE = ((((hasRole(itil) ))) AND (((hasRole() AND script=answer = true;)))) RC = false

It looks like you need itil role to write to this field. What is the ACL for comments on Task?


Mickey_Cegon
Tera Expert

I added the field on the Task form, and impersonated Joe Employee:


11:48:38:AM.941: TIME = 0:00:00.000 PATH = record/task.comments/read RULE = () RC = true
11:48:38:AM.941: TIME = 0:00:00.000 PATH = record/task.comments/write RULE = ((((hasRole(itil,task_editor) )))) RC = false
11:48:38:AM.941: TIME = 0:00:00.000 PATH = record/task.comments/create RULE = ((((hasRole() AND script=var sm = Packages.com.glide.sys.security.GlideSecurityManager.get(); var checkMe = 'record/' + root_rule + '/write'; answer = sm.hasRightsTo(checkMe, current); )))) RC = false

Since we want to be able to allow our customers to add Comments throughout the modules, would I need to change the permissions on the Task table ACL?