ACL Script help

will_smith · ‎12-04-2015

Hello, I am needing some help with an ACL on a custom table. I have a UI action that is ran from the incident table that shows the u_temp_credential table and writes some fields to it. Then ONLY the logged in user should be able to see the u_temp_credential table to see the username that was created just for them. When I impersonate the user I get a security constraints error. I appreciate all of your help from the start, as I'm learning ACL's - they remind me of Windows server group policies, ugh!

For an ACL, is a record type the same as a field on a form?

answer = ifScript();
function ifScript(){
   //gs.log('ACL: sys_class_name is ' + current.u_parent.sys_class_name);
   if(current.u_parent.sys_class_name == 'sc_req_item'){
   //gs.log('ACL: table is sc_req_item');
   if(current.u_parent.u_requested_for == gs.getUserID() || current.u_parent.opened_by == gs.getUserID()){
   return true;
   }
   } else if(current.u_parent.sys_class_name == 'incident') {
   //gs.log('ACL: table is incident');
   if(current.u_parent.caller_id == gs.getUserID()){
   return true;
   }
   }
   return false;
}

mike_allgire · ‎12-04-2015

You need two read ACLs...

1. Table level (u_temp_credential.)

2. Record level (u_temp_credential.*)

To put security on individual fields, then you need to put the appropriate type of ACL on the field (u_temp_credential.u_password).

Type should always be Record (for what you are doing).

Operation should determine what they can do (Create, Read, Write, Delete)

If the table was created and a role was associated with it (typical action) and you over-wrote the original read table ACL, then you will want to remove the role associated as the ACL requires the script to be true, the user to have the role, and the condition to be true.

To make this easier (now that I have more time), you can do this all using the condition builder instead of writing a script (my example is based on the incident table)

View solution in original post

will_smith · ‎01-15-2016

Here are my ACLs. Create must have the (itil) role.

And here is what an (itil) user sees:

mike_allgire · ‎01-15-2016

Did you create the write access at the line level? From your previous list of ACLs, the u_temp_credential.* / write should be activated (I believe). Honestly, this is kind of hard when I am not doing if for myself. If I get some extra time today, I will try to do what you are doing in my developer instance and pass a long what I have done in terms of ACLs.

Can you give my a list of your ultimate goals again; in terms of who can access what and when?

will_smith · ‎01-15-2016

I have everything working except for the Create/*. I cannot get it to read properly from the assignment group field that I've pulled in from the incident, as a string. Every condition I set "starts with", "is" , "contains" inactivates the ability to create on the fields.

If I remove the condition the fields open up and I can write to them, so I've validated this is my issue. I have also validated that I am pulling in my assignment group reference as a string. Do I need to put quotes around the Group | is | TSC or something?

mike_allgire · ‎01-15-2016

If you are trying to state that a member of the TSC group(s) can create, then your condition is wrong. You would need a script like this to check group membership.

gs.getUser().isMemberOf('GROUP NAME HERE') || gs.getUser().isMemberOf('GROUP NAME HERE')

The condition you have for "Group|contains|TSC" is only looking to see if the group listed is TSC, it isn't evaluating the current user as a member of that group.

will_smith · ‎01-15-2016

Sure thing! So my ultimate goal, at which I am much closer now, is to have only the logged in user be able to see their access credentials in the list view (read-only). Then I want to have anyone with assignment group TSC have create access to all fields from the incident table. Here are my current ACLs and the problem, as I see it. The read access to the table restricts it on the list view without a problem; only the logged in user can see their password. But when the TSC goes to create a password on the Incident table they cannot read the fields, and none of the fields show up. The group field is on my credential view.

Do you have to be able to read from the fields to create items on them?

table | create = If the group starts with TSC AND if the 'credential_view' is used, you can create new records on the table; if you have an itil role

table | read = Allows read access to the table if the access credential field 'u_for_user' matches the logged in user or the incident assignment group field contains 'TSC'

table.* | create = If the group starts with TSC AND if the 'credential_view' is used, you can create new records on all fields; if you have an itil role

What if I gave the 'credential_view' ability on the read ACL to open up the fields on the form?