ACL Script help

will_smith · ‎12-04-2015

Hello, I am needing some help with an ACL on a custom table. I have a UI action that is ran from the incident table that shows the u_temp_credential table and writes some fields to it. Then ONLY the logged in user should be able to see the u_temp_credential table to see the username that was created just for them. When I impersonate the user I get a security constraints error. I appreciate all of your help from the start, as I'm learning ACL's - they remind me of Windows server group policies, ugh!

For an ACL, is a record type the same as a field on a form?

answer = ifScript();
function ifScript(){
   //gs.log('ACL: sys_class_name is ' + current.u_parent.sys_class_name);
   if(current.u_parent.sys_class_name == 'sc_req_item'){
   //gs.log('ACL: table is sc_req_item');
   if(current.u_parent.u_requested_for == gs.getUserID() || current.u_parent.opened_by == gs.getUserID()){
   return true;
   }
   } else if(current.u_parent.sys_class_name == 'incident') {
   //gs.log('ACL: table is incident');
   if(current.u_parent.caller_id == gs.getUserID()){
   return true;
   }
   }
   return false;
}

mike_allgire · ‎12-04-2015

You need two read ACLs...

1. Table level (u_temp_credential.)

2. Record level (u_temp_credential.*)

To put security on individual fields, then you need to put the appropriate type of ACL on the field (u_temp_credential.u_password).

Type should always be Record (for what you are doing).

Operation should determine what they can do (Create, Read, Write, Delete)

If the table was created and a role was associated with it (typical action) and you over-wrote the original read table ACL, then you will want to remove the role associated as the ACL requires the script to be true, the user to have the role, and the condition to be true.

To make this easier (now that I have more time), you can do this all using the condition builder instead of writing a script (my example is based on the incident table)

View solution in original post

mike_allgire · ‎01-14-2016

Ok...I am going to do my best to keep up. The "requested_for" field would only be available to the sc_request table; therefore, if your parent record reference was 'sc_req_item', the you would want the IF condition to be "current.u_parent.request.requested_for".

will_smith · ‎01-08-2016

Hey there mike.allgire , I could use a little more help on these ACL's if you have some more time. I have figured out the script and eliminated all of the field level ACL's for troubleshooting. But now what I am looking to do is in the list view, only show the items where u_for_user == gs.getUserID(). How would I implement this?

Is the list view connected to the table level or field level, when viewing a list?

Thank you in advance for all of your help!

will_smith · ‎01-08-2016

Forgot to include the Table ACL pic

mike_allgire · ‎01-14-2016

The script above should probably be written as this. If none of these match, it should return false. You shouldn't need to add answer in there.

current.u_for_user == gs.getUser().getID() || current.u_parent.sys_class_name == 'sc_req_item' && (current.u_parent.request.requested_for == gs.getUser().getID() || current.u_parent.opened_by == gs.getUser().getID()) || current.u_parent.sys_class_name == 'incident' && current.u_parent.caller_id == gs.getUser().getID()

will_smith · ‎01-08-2016

Ok, so I fixed the list issue by moving the else if outside and creating it as its own IF. So now I can view it on list.

My existing issue is that now a test user cannot create a new credential. It is giving me ACL errors for items that are inactivated. The top line (PATH = record/u_temp_credential.u_application) is inactive in my ACL list. Can someone help me figure out why it's blocking me?