ACL - Arghhh. Make all fields read only, except for 2

Josh80
Tera Expert

‎12-14-2016 09:32 AM

Hello

I've done a lot with ACLs but for some reason having difficulty with what I would think should be a simple thing.

LOCATIONS (cmn_location table)

I want to:

Disallow write access to all fields except for 2 fields (Contact and a custom 'comments' field).

ITIL can basically read locations, but only an onboarding groups should be able to modify 'contact' and 'comments'.

For 'write' there's a 'cmn_locaton.*'   that has no role attached; and cmn_location.u_comments and cmn_location.contact with the proper user role to allow them to edit.   With this in place, the write is blocked by an out of box ACL. */write/record

If I use cmn_location/none with a specific role (admin only), all fields are still locked.

If I use cmn_location/none with Admin role AND cmn_location.*, all fields are still locked.

*writerecordtrue

cmn_location.*writerecordtrueglide.maint

2016-12-14 11:25:39

Previewcmn_location.u_commentswriterecordtrue

016-12-14 11:17:13

Previewcmn_location.contactwriterecordtrue

2016-12-14 10:51:18

Previewcmn_location.*readrecordtrue

2016-06-02 13:16:44

0 Helpfuls
  • 3,292 Views
5 REPLIES 5

randrews
Tera Guru

‎12-14-2016 09:41 AM

check your table acl... you have to grant them write access to the table <no field name selected> for your write access to work...



then create a filed.* on the table so only admins can write.. and then it should work..


0 Helpfuls

Josh80
Tera Expert
In response to randrews

‎12-14-2016 10:06 AM

Hi - thanks for the response.



So I thought I tried that.



Do I need the first 2 rules? If would I leave role(s) blank? Admin can


override by checking the box...but there's no need to write to existing


except through nightly load; no users should manually add locations.


WRITE: cmn_location.*


WRITE: cmn_location.none


WRITE: cmn_location.comments (onboarding role)


WRITE: cmn_location.contact (onboarding role)



On Wed, Dec 14, 2016 at 12:42 PM, randrews <


0 Helpfuls

randrews
Tera Guru
In response to Josh80

‎12-14-2016 10:14 AM

you need a write on cmn location.       that allows your roles to write....


then you need a write on cmn.location.* with an admin role <this removes write access to ALL fields except for admins


now you need a write on the two fields you want them to write to with their roles...



acl logic...



to write to a field you need permissions at the table level AND at the field level BOTH <but you only need ONE write acl at each of the two levels table and field>




so if you have three table level acl's   cmn.location.       and you get write access on ONE of those acl's you can write to the table...


if you have five acls on the fields and one or more allows write access to that field ... you can write to the field.



if you can write to the TABLE and the Field you can edit it... i think y our problem was you needed to create a cmn.location.   acl to allow write to the table itself.


0 Helpfuls

Josh80
Tera Expert
In response to randrews

‎12-14-2016 10:22 AM

Ok..it's clear again.


Thank you for taking the time.





On Dec 14, 2016 1:14 PM, "randrews" <community-no-reply@servicenow.com>


0 Helpfuls