ACL not working: no write/create if Parent Closed/Canceled?

JP-ODU · ‎01-03-2022

I thought I was trying to make a very basic change on our incident_task table, namely: it should not be possible to create or edit incident tasks if the parent incident is state: closed or canceled.

To that end, I went to the incident_task table and first tried editing the existing ACLs that control write and create based off of role: itil. I used the condition builder to dot-walk to Incident fields and added Condition: Incident.State | is not one of | Closed, Canceled

However, this had the unintended effect of preventing the creation and editing of any incident tasks, at all? Even open, active incidents.

2nd try: I removed the conditions from the itil ACLs. Then, I went to incident_task table and added two entirely new ACLs, one for write and one for create. They simply set the condition for write and create to Incident.State | is not one of | Closed, Canceled

But that's still not working? Now, the result is that I can still edit and create incident tasks on closed incidents, even with that ACL running.

3rd try: I went for the inverse. 2 ACLs, write and create, condition: Incident.State | is one of | New, Open, On Hold

But I can still create and edit incident tasks on closed incidents.

Can anyone please tell me what I'm doing wrong?

Allen Andreas · ‎01-03-2022

Yes, that would cause an issue.

As I mentioned above and specifically called out about the "incident" field...if the "incident" field is not filled in with the related incident record number...then how will the system know if the user should have access to it or not as you're dot-walking to it in your ACL and so it's not filled in?

You're dot-walking to the incident_task.incident.incident_state in your ACLs, but per what you're showing...it would need to be incident_task.parent.incident_state

OR...

You need to switch the related list showing on your incident records to be Incident Task -> Incident...instead of Incident Task -> Parent:

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

View solution in original post

Allen Andreas · ‎01-03-2022

Yes, that would cause an issue.

As I mentioned above and specifically called out about the "incident" field...if the "incident" field is not filled in with the related incident record number...then how will the system know if the user should have access to it or not as you're dot-walking to it in your ACL and so it's not filled in?

You're dot-walking to the incident_task.incident.incident_state in your ACLs, but per what you're showing...it would need to be incident_task.parent.incident_state

OR...

You need to switch the related list showing on your incident records to be Incident Task -> Incident...instead of Incident Task -> Parent:

Please mark reply as Helpful/Correct, if applicable. Thanks!

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

Allen Andreas · ‎01-04-2022

Hi @JP-ODU

I'm glad I was able to help resolve your issue.

If you don't mind, please review this reply chain and mark any reply as "Helpful" if it was helpful to you. This required a bit of back and forth and even some testing on my end. Along the way, various troubleshooting suggestions were provided.

Thanks and take care! 🙂

Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

JP-ODU · ‎01-04-2022

Absolutely! Sorry, having a scattered morning. I very much appreciate your help, without the back and forth I doubt I would've found the exception any time soon