I thought I was trying to make a very basic change on our incident_task table, namely: it should not be possible to create or edit incident tasks if the parent incident is state: closed or canceled.
To that end, I went to the incident_task table and first tried editing the existing ACLs that control write and create based off of role: itil. I used the condition builder to dot-walk to Incident fields and added Condition: Incident.State | is not one of | Closed, Canceled
However, this had the unintended effect of preventing the creation and editing of any incident tasks, at all? Even open, active incidents.
2nd try: I removed the conditions from the itil ACLs. Then, I went to incident_task table and added two entirely new ACLs, one for write and one for create. They simply set the condition for write and create to Incident.State | is not one of | Closed, Canceled
But that's still not working? Now, the result is that I can still edit and create incident tasks on closed incidents, even with that ACL running.
3rd try: I went for the inverse. 2 ACLs, write and create, condition: Incident.State | is one of | New, Open, On Hold
But I can still create and edit incident tasks on closed incidents.
Can anyone please tell me what I'm doing wrong?
Yes, that would cause an issue.
As I mentioned above and specifically called out about the "incident" field...if the "incident" field is not filled in with the related incident record number...then how will the system know if the user should have access to it or not as you're dot-walking to it in your ACL and so it's not filled in?
You're dot-walking to the incident_task.incident.incident_state in your ACLs, but per what you're showing...it would need to be incident_task.parent.incident_state
OR...
You need to switch the related list showing on your incident records to be Incident Task -> Incident...instead of Incident Task -> Parent:
Please mark reply as Helpful/Correct, if applicable. Thanks!
I wanted to be certain, so I created a new user named "Test 123," so that I could provision them exclusively with itil role
Using Test 123:
If the condition is Incident.incident state | is not one of | Closed, Canceled, then Test 123 is able to create incident tasks on closed and canceled incidents.
If the condition is Incident.incident state | is one of | New, In Progress, On Hold, Resolved, then Test 123 cannot see the New button for incident tasks on incidents of any state
Filtering ACLs for name = incident_task or incident_task.* and Operation = create:
Hi,
Thanks!
Can you now show a small screenshot of the incident in state of closed or cancelled.
Then show what the screen looks like when they click "New" on the incident task related list within that incident?
So my testing is going to an incident in the state of closed, example:
Scrolling down the screen to the incident task related list:
New does show up...but that's a separate thing from what we're talking about here. Click the New button and then with the incident reference field being populated, the form is read-only and they can't submit/save:
Please verify that there is an incident in the incident reference field, as shown above, as this is how the ACL will not to prevent the creation or not. Otherwise, how would the system know?
AND...that you can actually create/submit the form?
Please mark reply as Helpful/Correct, if applicable. Thanks!
Sure, in this case, I was working off an Incident I newly created in order to cancel:
My test impersonation is able open + save new incident tasks on the canceled incident, but I note a difference from yours in that the field they see on the form is "Parent" and not "Incident." Could that somehow be what's causing all this?
I popped out of the test user to configure form layout and Incident is available, and turns out to not be filled in? That seems wrong, to me...
