Can ACL be overridden ?

Ajai S Nair
Giga Guru

Hi All,

In our project, we have written an ACL for allowing permission to edit all variables in the problem when the state is not Resolved, cancelled or closed. Now we have a requirement that we need to give access to edit a single field even after Resolved state. I tried by writing another Field ACL but it does not work. Since Field ACL will work first and later the table ACL will work. Can anyone help me for this ?

Regards,

Ajai

21 REPLIES 21

i think we are back to what i put in a few days ago.......



so the required solution would be to get rid of the table level rule that blocks access...



create a Field level rule with an * for the field that blocks access to all fields... then create a field level rule for that one field that allows access...



since it got a block and a read at the SAME level <field level> it will allow it... as long as there is no table level block



so in short acl's at the same level are LEAST restrictive... acl's at different levels are MOST restrictive.....   hope that makes sense.


Correct me if I am wrong.



The field which I want to make editable after resolved is a field created only in Problem table. So is there a use of writing a * ACL for field ?



I think ,the way I explained my requirement was wrong. Actually it is:



we have written an ACL for allowing permission to edit all variables in the problem when the state is not Resolved, cancelled or closed. Now we have a requirement that we need to give access to edit a single field even after Resolved state. I tried by writing another Field ACL but it does not work. Since Field ACL will work first and later the table ACL will work. Can we do this through ACL?





Regards,


Ajai


ok let me try to explain again... my understanding is....



ACL's are evaluated at 2 layers.. table and field level...



the evaluation of rights at a LAYER level is MOST restrictive.. so if you get a deny from the table layer or from the field layer.. your access is denied.



Each layer is resolved independently using a LEAST restrictive requirement.. so if you are looking only at the field layer and 9 acl rules deny access and one allows access you get access on the FIELD layer..  



so both layers have to say yes.. but within each layer you only need a single yes if that makes sense....




so if your requirement is that only ONE field be editable in a state... you can NOT deny access at the table level n that state as that would block access with no way around it.. so you have to remove your table level deny when the state is resolved



so what we want now is a FIELD level deny on all fields EXCEPT certain ones... so you write a field level deny with the field as *   this should deny access to all fields... .now add a second acl allowing access to the single field we need... <remember at the field level a single yes gives us a yes> and it should work for you.


bammar
Kilo Sage
Kilo Sage

Instead of using ACls, cant the same goal not be accomplished by use of Business Rules, UI actions , Client scripts. Usually u either do or dont have access to Read, edit , delete or create a field.



I also thought of changing the ACL and do this through UI Policy. But before that I just want to know whether some possibility with ACL is there because I have a lot of fields in Problem.