ACL Help - Restricting users from seeing records on sc_req_item not working as expected

Peter P · ‎09-04-2024

Hello everyone!

Need some ACL help, and I have a feeling my existing configuration is giving me trouble.

I have a project ask where we have a new catalog form "Employee Access Request". The RITM records for this submission needs to be restricted to only those users who have the 'itil', and a newly created role named 'ESAR'.

I've attempted creating a new ACL with the following filled in, but the records still appear for users without the 'ESAR' role:

I've updated what I believe is the main ACL for the sc_req_table, and added in a condition where 'item != ESAR' and the record does disappear. Though, my newly created ACL doesn't seem to give appropriate access.

New ACL:

Existing ACL:

Associated script:

The way I understand it:

The existing ACL allows access to all records on the sc_req_item table as long as they match the conditions in the script (user who opened request can view, requested for can view, users with 'itil' and 'sn_request_write' can view. This ACL filters out the item. The newly created ACL should give access to those requests, but aren't.

Any help with this puzzle is greatly appreciated!

Thanks everyone!

HIROSHI SATOH · ‎09-04-2024

It's easy to widen an ACL, but difficult to narrow it. When narrowing, you need to check not only the ACL of the target table, but also the ACL of the extended table. If even one condition is satisfied, you can refer to it.

Also, the condition "ITEM IS ESAR" has nothing to do with roles. Is this intentional?

Peter P · ‎09-05-2024

Hi Hiroshi,

I'll check out the extended table as well.

The condition for 'Item is ESAR' is (what I believe) to narrow down what the ACL will affect. In this case, the condition shows '2 records match conditions'. I have only two records on the sc_req_item table with the Item name of 'ESAR' currently.