Query ACL Behavior

jkappler2 · 9 hours ago

Hello,

We're attempting to replace a Reference Qualifier with a query_range ACL to filter Change Models (chg_model table) globally, but the ACL isn't working as expected.

Current Setup (Working):

Reference Qualifier on the chg_model field filters based on URI context
Shows only 2 of 10 Change Models (sys_ids stored in change.standard_change.standard_change_models property)
Works, but only applies in specific contexts (proposal forms, record producers)

Goal:
Replace with query_range ACL for consistent global filtering across all contexts (list views, reference fields, reports, etc.)

Issue:
Our query_range ACL isn't filtering - non-admins still see all 10 models instead of the 2 in the property.

ACL Configuration:

Type: record
Operation: query_range
Name: chg_model
Advanced: Checked
Type: Deny Unless
Requires role: snc-internal (non-admins)
Script:
(function() {
var property = gs.getProperty('change.standard_change.standard_change_models', '-1');
if (property == '-1') {
return true;
}
var allowedIds = ',' + property.toString() + ',';
var currentId = ',' + current.sys_id.toString() + ',';
return allowedIds.indexOf(currentId) > -1;
})();

Potentially Conflicting ACLs (OOTB):

chg_model.* (query_range, Allow If, public role, protected) - with OOTB security attributes
chg_model (read operation, protected) - runs STTRMModel class

Questions:

Can a "Deny Unless" query_range ACL override an existing "Allow If" query_range ACL?
Do protected ACLs prevent custom query_range ACLs from working?
Should we be using current.addQuery() or return true/false in query_range ACLs?
Any alternative approaches to achieve global filtering without modifying protected ACLs?
Do query_range ACLs determine record inclusion record-by-record or do they validate inclusion of the record set as a whole based on all records passing the set condition?

Thanks for any guidance!