ACL restrict write to specific groups but allow everyone with itil role to write on Comments and Work Notes

JC S_ · ‎05-15-2019

We have a requirement to restrict write access on specific records to spceific groups only but anyone with itil role should be able to write on comments and work notes. Any idea on how to approach this ACL setup?

Tim Provin · ‎05-15-2019

You will need 2 table level write ACLs, one that will provide write access to your groups and one that will provide write access to the itil role. Then you will need a table.* write ACL to provide field level write to the specific groups and NOT the itil role. Finally you will need table.comments and table.work_notes write ACLs that allow write access for the itil role.

In order to get the specific groups, you will need to write a script in the ACL that checks to see if the user is a member of the specific group(s).

If you only wanted members of the record's assignment group to be able to write you would do something like this.

answer = gs.getUser().isMemberOf(current.assignment_group.toString())

JC S_ · ‎05-15-2019

Hi Tim - tried this setup but work notes and comments are still not available to the user with itil role if record is not assigned to their group.

Tim Provin · ‎05-15-2019

And now that I am looking at it, I realize I was off by a little bit so I updated my original reply. You need 2 table level write ACLs. The first should just have the itil role on it, and the second should have just the script. ACLs require all the different pieces to evaluate to true (roles, condition, and script) so the single table level is locking it to users in the assignment group that have the itil role. Sorry for the miss on my part.

JC S_ · ‎05-15-2019

Hi Tim - appreciate your help on this. tried the 5 ACL setup then 1 table level with itil role condition and another with just the group script. However, now any group with itil can update any field on tasks.