How to limit access to specific records using ACL

JC S_
Mega Guru

‎06-25-2019 04:28 AM

We have a business requirement to restrict access to specific incident records depending on the incident tagging and specific group types. For example, we need to limit access to all financial tickets (u_financial = true) to members of groups with group type "financial" and limit all supply chain tickets (u_scm = true) to members of groups with group type "scm"

So far, the only way we see implementing this is via a business rule called incident query. Any ideas on how we can implement this using an ACL? Our issue is that there is an OOTB ACL that allows any user with itil role to access any incident record. Should we deactivate this? Interested to know the best way to properly setup ACL + incident query for this kind of record restriction requirements.

Labels:
0 Helpfuls
  • 3,987 Views
6 REPLIES 6

Simon Christens
Kilo Sage

‎06-25-2019 04:37 AM

Hi JC

I would suggest to give the specific users the custom role (financial_incident or something).

Then edit the OOB ACL that grants read rights to incident for ITIL users and apply the condition u_financial IS false
Create a new read ACL for incident for Role financial_incident role that have a condition u_financial IS true

That should work

JC S_
Mega Guru
In response to Simon Christens

‎06-25-2019 06:43 AM

Hi Simon - this worked great!

Would you recommend replicating the ACL restrictions on incident query to make things cleaner when viewing the list? Because if we only do the ACL, there will be a prompt that a number of rows were removed due to security constraints and to make things worst, it 's kind of confusing when the total number of records shown is 1000 but the actual records you can access is just 20.

0 Helpfuls

Simon Christens
Kilo Sage
In response to JC S_

‎06-25-2019 10:09 PM

Hi

Yes you should ensure that the incident query also supports the restrictions

So instead of the OOB condition (if !gs.getUser().hasRole('itil')) you replace itil with financial_incident role because you want to restrict ITIL alittle

So the business rule query should be something like

if(gs.getUser().hasRole('itil'){

current.addQuery('u_financial', false);

}else{

//This is end users so use the OOB query
//current.addQuery('caller_id', u) etc

}
0 Helpfuls

vinothkumar
Tera Guru

‎06-25-2019 04:54 AM

You can create another read ACL by specifying the condition as FInance as true and add finance role for table level ACL and give a try and that will override the OOB ACL and don't needs to deactivate.

0 Helpfuls