I thought I was trying to make a very basic change on our incident_task table, namely: it should not be possible to create or edit incident tasks if the parent incident is state: closed or canceled.
To that end, I went to the incident_task table and first tried editing the existing ACLs that control write and create based off of role: itil. I used the condition builder to dot-walk to Incident fields and added Condition: Incident.State | is not one of | Closed, Canceled
However, this had the unintended effect of preventing the creation and editing of any incident tasks, at all? Even open, active incidents.
2nd try: I removed the conditions from the itil ACLs. Then, I went to incident_task table and added two entirely new ACLs, one for write and one for create. They simply set the condition for write and create to Incident.State | is not one of | Closed, Canceled
But that's still not working? Now, the result is that I can still edit and create incident tasks on closed incidents, even with that ACL running.
3rd try: I went for the inverse. 2 ACLs, write and create, condition: Incident.State | is one of | New, Open, On Hold
But I can still create and edit incident tasks on closed incidents.
Can anyone please tell me what I'm doing wrong?
Yes, that would cause an issue.
As I mentioned above and specifically called out about the "incident" field...if the "incident" field is not filled in with the related incident record number...then how will the system know if the user should have access to it or not as you're dot-walking to it in your ACL and so it's not filled in?
You're dot-walking to the incident_task.incident.incident_state in your ACLs, but per what you're showing...it would need to be incident_task.parent.incident_state
OR...
You need to switch the related list showing on your incident records to be Incident Task -> Incident...instead of Incident Task -> Parent:
Please mark reply as Helpful/Correct, if applicable. Thanks!
Hi,
Sorry, your post is a bit confusing because you're saying:
"To that end, I went to the incident_task table and first tried editing the existing ACLs that control write and edit based off of role: itil. I used the condition builder to dot-walk to Incident fields and added Condition: Incident.State | is not one of | Closed, Canceled"
So what you've mentioned above doesn't affect "create". That is a separate ACL type.
I want to make sure we're talking about the same ACL type as for starters, you would review all "create" ACL's for this table, then, if they are currently allowed to do 'x' and you don't want that, you'd edit the current ACL to prevent 'x'.
It sounds like you're saying you did that, but I'm not seeing a specific callout for "create" ACL type and instead see "write/edit" and then some unintended outcomes dealing with create...but not clear.
Out of box on my personal developer instance, there's 2 "create" ACLs for the incident_task table. You'd have to ensure in both of those that the user wouldn't pass those ACLs. So you'd need to look at both and see and/or adjust.
I've just tested this myself by disabling 1 of the 2 ACLs, and then adjusting the remaining one ACL (which has itil role involved) to this:
And while the "new" button shows on the incident task related list on a closed incident (that's a separate thing you need to adjust), if they click the new button, the entire form is grayed out and they can't submit:
Please mark reply as Helpful/Correct, if applicable. Thanks!
Sorry, I'm attempting to make sure we're aligned, but my results still don't seem to be the same.
1. I deleted my trial ACLs
2. I ensured that there is a single create ACL on the incident_task table (the one for role: itil)
3. I modified that one ACL to add condition: Incident.Incident state | is not one of | Closed, Canceled, matching your screenshot
4. Impersonating an itil user, they're able to create new incident tasks on canceled and closed incidents. The New button appears, opens to a form with active, fillable fields, and allows them to save a fresh, new incident task to closed and canceled incidents
I don't understand what's missing
5. If I flip it, taking the single create ACL (requires role: itil) and setting the condition to Incident.Incident state | is one of | New, In Progress, On Hold, or Resolved then the "New" button is removed from the incident task form for itil users, regardless of state
