Set up Read Only on user record fields that are synched from AD

Lisa DeBattista · ‎07-05-2022

I've tried read only - which won't allow AD to synchronize the user details

I've tried an ACL to restrict access to the sys_user table to read only and yet it still allows users to edit the user record details in view user in the SOWorkspace.

The issue is .. when a ticket is opened for a user, and you view user details, it permits changes to the user record. We do NOT want changes made to most fields of the user record and I haven't found the magic mix to lock down the user records (most fields not all) to ITIL users.

TIA!

bammar · ‎07-05-2022

ACLs should work you can put ACL for read with admin overrides checked.. even if someone changes is during the next sync it will be overwritten

Also- Read only on the dictionary should not prohibit an integration from writing over this...

You may have to focus on how to restrict editing from SOWorkspace

OR just use one field- populate the users name by default- then if they want to change it to someone else they can- you can put help text regarding that- then you can do a mapping of this 1 field to caller id

-O- · ‎07-05-2022

ACLs cannot restrict, they can only grant access. Since access to User is granted OOB you need to 1st disable that write access. Than grant any other type of write access as needed (e.g. write of non-SSO accounts).

Lisa DeBattista · ‎07-08-2022

Ok. If I am to understand this correctly, I need to go ahead and figure out the write access within the itil role and remove it so that itil users are unable to edit user records that are synched from Azure AD.

-O- · ‎07-08-2022

Something like that. OOB there is a write ACL that grants write access to User records for users that have one of roles: itil, user_admin, import_transformer, resource_manager, timecard_admin. You could modify that ACL to add a condition to it limiting granting write access to those records that are not synchronized from AD. I believe field level ACLs can/better remain as those are.