ACL Script help

will_smith · ‎12-04-2015

Hello, I am needing some help with an ACL on a custom table. I have a UI action that is ran from the incident table that shows the u_temp_credential table and writes some fields to it. Then ONLY the logged in user should be able to see the u_temp_credential table to see the username that was created just for them. When I impersonate the user I get a security constraints error. I appreciate all of your help from the start, as I'm learning ACL's - they remind me of Windows server group policies, ugh!

For an ACL, is a record type the same as a field on a form?

answer = ifScript();
function ifScript(){
   //gs.log('ACL: sys_class_name is ' + current.u_parent.sys_class_name);
   if(current.u_parent.sys_class_name == 'sc_req_item'){
   //gs.log('ACL: table is sc_req_item');
   if(current.u_parent.u_requested_for == gs.getUserID() || current.u_parent.opened_by == gs.getUserID()){
   return true;
   }
   } else if(current.u_parent.sys_class_name == 'incident') {
   //gs.log('ACL: table is incident');
   if(current.u_parent.caller_id == gs.getUserID()){
   return true;
   }
   }
   return false;
}

mike_allgire · ‎12-04-2015

You need two read ACLs...

1. Table level (u_temp_credential.)

2. Record level (u_temp_credential.*)

To put security on individual fields, then you need to put the appropriate type of ACL on the field (u_temp_credential.u_password).

Type should always be Record (for what you are doing).

Operation should determine what they can do (Create, Read, Write, Delete)

If the table was created and a role was associated with it (typical action) and you over-wrote the original read table ACL, then you will want to remove the role associated as the ACL requires the script to be true, the user to have the role, and the condition to be true.

To make this easier (now that I have more time), you can do this all using the condition builder instead of writing a script (my example is based on the incident table)

View solution in original post

will_smith · ‎12-09-2015

mike.allgire, I am going through the condition builder and am not seeing Parent.TaskType... Can you walk me through the dots of how you got to that option please?

mike_allgire · ‎12-09-2015

You are using a custom table, so the parent field may not be there (or maybe it is labelled differently); however if you have a related field (say to the request or incident) that allows you to click and get to that record through that related field, then you can use that field and hit the task type from there. If you are looking at configuration, then it will be the Class and not Task Type.

will_smith · ‎12-05-2015

thank you very much for taking time to spell it out. Why do I need two read ACLs though, for table and record level? Doesn't <table>.* do both? I need more reading and comprehension on ACLs, but this is helpful. Thanks again mike.allgire!

mike_allgire · ‎12-07-2015

That answer is due to what you are attempting to do, you want to grant the user access to the table...and you want to restrict what records you want them to see. Also, <table.* is line/row/record level. <table>. is table level.

will_smith · ‎12-16-2015

I can't seem to find requested_for on the request table in the condition builder inside the ACL's. Can someone give me a hand? I am trying to replicate the script in the condition builder, and have gotten much farther with Mike's help, but I just can't find this requested_for field on the request table (which extends Task).

Thank you in advance!