How can I create ACL to give read access if logged in user is an RTM?

Paul125 · ‎10-11-2018

Hello, I am working on a requirement where I need to give read access to records. These records contains 'Application' field and applications contains 'RTM' which points to user table. I need to give read access to the user for records if logged in user exist in the record->application->RTM. Can someone help me creating this advanced ACL. Thanks!

Josh Virelli · ‎10-11-2018

Hi Paul,

You're going to make two Read ACLs. One is going to be [tableName].None and the other [tableName].*

Click the "Advanced" checkbox and in the script we'll get the current logged-in user's Sys ID and match it to the RTM field. I don't know what your table name / field names are, but here's an example of what the script would look like:

if(gs.getUserID() == current.application.managed_by){
	answer = true;
}

You can read more about ACLs here: Access control list rules documentation

The reason you need two ACLs is this, [tableName].None gives you access to the record and [tableName].* gives you access to all of the fields on that record. Think of it like this, if the ACL was an apartment building, [tableName].None would give you access to enter the building, and [tableName].* would give you access to all of the apartments in the building.

If you need further guidance, happy to help! If this did answer your question, please mark it as correct to help future developers 🙂

-Josh

View solution in original post

Paul125 · ‎10-11-2018

Josh, do you have any inputs on above question? Thanks!

Josh Virelli · ‎10-11-2018

Hi Paul,

In that case you are going to have to split the list of CI's into an array, and check to see if the user is a member of the related support group.

var ciArray = current.u_ci.split(',');

for(i=0; i<ciArray.length; i++){
var ci = new GlideRecord('cmdb_ci');
ci.get(ciArray[i]);
if(gs.getUser().isMemberOf(ci.support_group)){
answer = true;
break;
}
}

This will probably increase load times on this table, as an FYI.

Paul125 · ‎10-11-2018

Josh I've tried this but for some reason all records available for non-group users. I am I missing anything in the Definition->require roles? Thanks!

Josh Virelli · ‎10-11-2018

Are there any other ACLs on that table? Check those as well. Only one ACL has to evaluate true to allow access. Also, are you impersonating/testing with a user that is an Admin? If "Admin overrides" is checked, it will allow admins to see, even if they're not a part of the group.

Paul125 · ‎10-11-2018

Josh, your script just works fine after adding answer = no at the beginning of the script.

But what if I wanted to add another read ACL for any roles? If I create new read ACL then your script not working, even I added roles to same ACL that has the script exist but it's not working in this case either. How can get out of this. I would appreciate any suggestions. Thanks!