ACL restrict write to specific groups but allow everyone with itil role to write on Comments and Work Notes

JC S_
Mega Guru

We have a requirement to restrict write access on specific records to spceific groups only but anyone with itil role should be able to write on comments and work notes. Any idea on how to approach this ACL setup?

5 REPLIES 5

Tim Provin
Mega Guru

You will need 2 table level write ACLs, one that will provide write access to your groups and one that will provide write access to the itil role.  Then you will need a table.* write ACL to provide field level write to the specific groups and NOT the itil role.  Finally you will need table.comments and table.work_notes write ACLs that allow write access for the itil role.

In order to get the specific groups, you will need to write a script in the ACL that checks to see if the user is a member of the specific group(s).

 

If you only wanted members of the record's assignment group to be able to write you would do something like this.

answer = gs.getUser().isMemberOf(current.assignment_group.toString())

Hi Tim - tried this setup but work notes and comments are still not available to the user with itil role if record is not assigned to their group.

find_real_file.png

find_real_file.png

find_real_file.png

find_real_file.pngfind_real_file.png

And now that I am looking at it, I realize I was off by a little bit so I updated my original reply.  You need 2 table level write ACLs.  The first should just have the itil role on it, and the second should have just the script.  ACLs require all the different pieces to evaluate to true (roles, condition, and script) so the single table level is locking it to users in the assignment group that have the itil role.  Sorry for the miss on my part.

Hi Tim - appreciate your help on this. tried the 5 ACL setup then 1 table level with itil role condition and another with just the group script. However, now any group with itil can update any field on tasks.

find_real_file.png