ACL Script help

will_smith · ‎12-04-2015

Hello, I am needing some help with an ACL on a custom table. I have a UI action that is ran from the incident table that shows the u_temp_credential table and writes some fields to it. Then ONLY the logged in user should be able to see the u_temp_credential table to see the username that was created just for them. When I impersonate the user I get a security constraints error. I appreciate all of your help from the start, as I'm learning ACL's - they remind me of Windows server group policies, ugh!

For an ACL, is a record type the same as a field on a form?

answer = ifScript();
function ifScript(){
   //gs.log('ACL: sys_class_name is ' + current.u_parent.sys_class_name);
   if(current.u_parent.sys_class_name == 'sc_req_item'){
   //gs.log('ACL: table is sc_req_item');
   if(current.u_parent.u_requested_for == gs.getUserID() || current.u_parent.opened_by == gs.getUserID()){
   return true;
   }
   } else if(current.u_parent.sys_class_name == 'incident') {
   //gs.log('ACL: table is incident');
   if(current.u_parent.caller_id == gs.getUserID()){
   return true;
   }
   }
   return false;
}

mike_allgire · ‎12-04-2015

You need two read ACLs...

1. Table level (u_temp_credential.)

2. Record level (u_temp_credential.*)

To put security on individual fields, then you need to put the appropriate type of ACL on the field (u_temp_credential.u_password).

Type should always be Record (for what you are doing).

Operation should determine what they can do (Create, Read, Write, Delete)

If the table was created and a role was associated with it (typical action) and you over-wrote the original read table ACL, then you will want to remove the role associated as the ACL requires the script to be true, the user to have the role, and the condition to be true.

To make this easier (now that I have more time), you can do this all using the condition builder instead of writing a script (my example is based on the incident table)

View solution in original post

mike_allgire · ‎12-04-2015

The ACL above is for the table only. If you want to restrict a line entry (record) on the table to a specific user, then you would need to add an ACL for Name is Temporary Credential - *.

Your ACL is only stating that the user can read the table; however you are basing the ability to read the table on line entry attributes.

will_smith · ‎12-04-2015

the ultimate goal here is to only have the fields readable for the passwords that apply to requester and requested for... how can I adjust my ACLs to make that happen?

mike_allgire · ‎12-04-2015

Add a second ACL for line level as stated in my previous reply. A user needs to be able to access the table and access the records within it. To do this, use your current ACL, change the second field for Name from "--None--" to "*"

will_smith · ‎12-04-2015

Thanks mike.allgire!

In the ACL window, table = table (obviously). Are field and record the same thing?

What is the dash in "Temporary Credential - *."? I have name = Temporary Credential.* right now, which as I understand means the table and all fields therein.

mike_allgire · ‎12-04-2015

Yeah, the dash was only in there to distinguish the two separate fields. Glad you got it figured out.