Hello,
We're attempting to replace a Reference Qualifier with a query_range ACL to filter Change Models (chg_model table) globally, but the ACL isn't working as expected.
Current Setup (Working):
- Reference Qualifier on the chg_model field filters based on URI context
- Shows only 2 of 10 Change Models (sys_ids stored in change.standard_change.standard_change_models property)
- Works, but only applies in specific contexts (proposal forms, record producers)
Goal:
Replace with query_range ACL for consistent global filtering across all contexts (list views, reference fields, reports, etc.)
Issue:
Our query_range ACL isn't filtering - non-admins still see all 10 models instead of the 2 in the property.
ACL Configuration:
- Type: record
- Operation: query_range
- Name: chg_model
- Advanced: Checked
- Type: Deny Unless
- Requires role: snc-internal (non-admins)
- Script:
(function() {
var property = gs.getProperty('change.standard_change.standard_change_models', '-1');
if (property == '-1') {
return true;
}
var allowedIds = ',' + property.toString() + ',';
var currentId = ',' + current.sys_id.toString() + ',';
return allowedIds.indexOf(currentId) > -1;
})();
Potentially Conflicting ACLs (OOTB):
- chg_model.* (query_range, Allow If, public role, protected) - with OOTB security attributes
- chg_model (read operation, protected) - runs STTRMModel class
Questions:
- Can a "Deny Unless" query_range ACL override an existing "Allow If" query_range ACL?
- Do protected ACLs prevent custom query_range ACLs from working?
- Should we be using current.addQuery() or return true/false in query_range ACLs?
- Any alternative approaches to achieve global filtering without modifying protected ACLs?
- Do query_range ACLs determine record inclusion record-by-record or do they validate inclusion of the record set as a whole based on all records passing the set condition?
Thanks for any guidance!
