First let me start off by stating my ACLs:

Type: record
Operation: write
Name: cmdb_ci.*
Script: answer = (gs.hasRole("asset_admin") || gs.getUser().isMemberOf(current.support_group));
Purpose: This allows asset admins as well as members of the current support group to modify fields on the CI form

I then have another level of ACLs that fire and will restrict certain other fields to only users with asset_admin.

I also have this rule:

Type: record
Operation: edit_ci_relations
Name: cmdb_ci.*
Script: answer = (gs.hasRole("asset_admin") || gs.getUser().isMemberOf(current.support_group));
Purpose: Should grant asset admin and members of the current support group the ability to edit the CI Relationships

The problem is that whenever I need to add another role to the first ACL so that I can allow another group to edit some of the other fields on the CI, they are now able to edit the relationships, wheras before they didn't even see the green plus sign for the edit ci relationships ui page. I have added ACLs to the three fields this new role needs access to modify, and the ACLs grant the access, however the first ACL i have listed above then runs after the field level ACLs and locks the fields back down, so to enable the ACLs that unlock the field to be able to unlock the field, i had to add the role to the first ACL listed above. Unfortunately, this also gives them access to the green plus sign as well.

I have messed around with restricting access to this through a UI Page ACL on the ci_relationship_manage UI Page and this works, but the problem is the green plus is still there. Also, i have not seen a way to elegantly then allow members of the assignment group on the CI to be able to access the UI Page since I cannot dot-walk from the UI Page to the CI.

I have put restrictions in to the cmdb_rel_ci page, but this does not keep them from accessing the ci_relationship_manage UI Page.

I have also created another ACL that duplicates the edit_ci_relations ACL above, and created it as an editCiRelations ACL, as I have seen elsewhere in the forums that sometimes you have to have both, and this still doesn't restrict the green plus button.

Does anyone know how to get this to work properly, while still allowing access to a subset of fields based on roles, and still allowing members of the assignment group to edit the relationships, but not members of this new role?

We are running Aspen 07-08-2011_1436 if it matters.