ACL Script help

will_smith · ‎12-04-2015

Hello, I am needing some help with an ACL on a custom table. I have a UI action that is ran from the incident table that shows the u_temp_credential table and writes some fields to it. Then ONLY the logged in user should be able to see the u_temp_credential table to see the username that was created just for them. When I impersonate the user I get a security constraints error. I appreciate all of your help from the start, as I'm learning ACL's - they remind me of Windows server group policies, ugh!

For an ACL, is a record type the same as a field on a form?

answer = ifScript();
function ifScript(){
   //gs.log('ACL: sys_class_name is ' + current.u_parent.sys_class_name);
   if(current.u_parent.sys_class_name == 'sc_req_item'){
   //gs.log('ACL: table is sc_req_item');
   if(current.u_parent.u_requested_for == gs.getUserID() || current.u_parent.opened_by == gs.getUserID()){
   return true;
   }
   } else if(current.u_parent.sys_class_name == 'incident') {
   //gs.log('ACL: table is incident');
   if(current.u_parent.caller_id == gs.getUserID()){
   return true;
   }
   }
   return false;
}

mike_allgire · ‎12-04-2015

You need two read ACLs...

1. Table level (u_temp_credential.)

2. Record level (u_temp_credential.*)

To put security on individual fields, then you need to put the appropriate type of ACL on the field (u_temp_credential.u_password).

Type should always be Record (for what you are doing).

Operation should determine what they can do (Create, Read, Write, Delete)

If the table was created and a role was associated with it (typical action) and you over-wrote the original read table ACL, then you will want to remove the role associated as the ACL requires the script to be true, the user to have the role, and the condition to be true.

To make this easier (now that I have more time), you can do this all using the condition builder instead of writing a script (my example is based on the incident table)

View solution in original post

will_smith · ‎01-15-2016

Ahhh! I was trying to avoid scripting and just use the condition since the TechNow videos said to use roles > conditions > scripts - in that order. I am also trying to avoid scripting wherever possible. I did solve this one, and thank you so much for your help!

I solved it by creating a new role, which I had thought of previously but couldn't get implementation to work. The create/* ACL then checks for that role via script

answer = answer();

function answer(){

if (gs.hasRole('temp_credential_create')) {

return true;

}

return false;

}

if the user has it the flood gates open up and they can create all the passwords they want! I've also restricted the UI action to this role. Then I granted that role to the group in question.

I keep trying to do things in 1 easy step... and I'm finding that most things like this, and script includes, don't work in one easy screen. At least it is working...

Thanks again mike.allgire for all of your time and assistance.

mike_allgire · ‎01-15-2016

Sorry. I was in the middle of something. I realize you corrected it, but I was able to do it without the creation of a new role. I believe I did what you needed anyway. The below was created to allow all users to read the table, the for user to read line items for themselves, and the members of a group to be able to read, write and create new records on the table.

Created a table for u_temp_credential; without access controls being created
1. Created fields for u_parent, u_for_user, u_password
Added the attached ACLs.

will_smith · ‎01-18-2016

Very elegant solution! Is it possible to do a isMemberOf "like" foo or isMemberOf "startswith" foo to avoid hardcoding all of the assignment groups?

mike_allgire · ‎01-18-2016

Yes, but you would have to query to get the 'startswith' or 'contains' value. In this case, you could narrow it down even further if you were able to key in on a common value in the groups.

var gr = new GlideRecord('sys_user_group');

var i = gr.addQuery('name','CONTAINS','Database');

i.addOrCondition('name','STARTSWITH','Database');

gr.query();

while(gr.next()){

       if(gs.getUser().isMemberOf(gr.name)){

               answer = true;

       }

}