Database View fields not visible via a Report

simonbourne · ‎04-05-2018

I'm running Istanbul. I have a Database View combining the Incident and Problem tables. I have generated a Single Score report counting the number of Active problems. The report has been shared with Everyone. The report runs successfully and clicking on the Single Score should show a List of the Problem records, but it is resulting in a Number of rows removed from this list by Security constraints message.

I have an ACL set up on the Database View to allow ITIL users to Read (--none--) the Records and both the Incident and Problem tables are available to the ITIL users. Ironically, the same report works on our Development instance. As far as I can see, the Database View, Report and ACLs are the same...what am I missing?

SanjivMeher · ‎04-05-2018

It is an ACL issue. Can you remove the itil role from ACL and add Public role to it? Also make sure there is not other condition or script in that ACL except for the role

Please mark this response as correct or helpful if it assisted you with your question.

simonbourne · ‎04-06-2018

I tried your suggestion. It made no difference. The Database View has no fields defined, so it combines the entire Incident and Problem tables into 1 view.

I have 2 Read ACLs defined on the Database View on my Development instance

1: Incident_Problem.--None-- ITIL: that provides ITIL Users with read access to the Database View

2: Incident_Problem.* ITIL: that provides ITIL users with read access to the Records within the Database View

This works. However the same ACLs on Production do not work. This makes me think that there are ACLs on the Production Incident and Problem tables that are preventing this. My understanding is that, post-Fuji, specific ACLs are required on Database Views to prevent unauthorised access to underlying Tables.

Therefore, I would assume that if there are specific ACLs for Columns on the Incident and Problem tables, any ACLs on the Database View would respect these.

Example:

There is a ITIL User, Read ACL on the Incident.Number column. That would mean that anyone with the designated Role would be able to Read the Incident.Number, but, by exclusion, would NOT be able to Read any other Columns.

Adding a Read.* ACL to the Incident_Problem Database View would only provide Read access to Columns on the Incident and Problem tables supported by the ACLs on the underlying tables (in this case ONLY the Incident.Number column). Am I understanding this correctly?

SanjivMeher · ‎04-06-2018

Yes. You are right. But an itil user should be able to see incident and problem on Prod. So there is no restrictions from the base tables incident and problem. Until unless you have an ACL on database view, which may be restricting you from view the db view, i can't think of any other reason.

Can you send me a screenshot of your database view and the read ACLs you have configured on the database view.

Please mark this response as correct or helpful if it assisted you with your question.

simonbourne · ‎04-06-2018

This is the database view

Neither of the ACLs have an conditions