- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā12-17-2020 05:10 PM
Hi there, I am working on giving a group of users edit access to the Invoice Number field in the asset table. Here is what I have done so far.
- I created a role called - asset_inv_nbr_update
- I added the group of users to the role
- I created a Write ACL in the Invoice Number field
- I added the asset_inv_nbr_update role to the ACL
The above doesn't work. So I added the role to the Write ACL within the Asset Table but it opens up a lot of fields. I am not sure about the next step. Do I need to add ACLs for each field?
Thanks!
Solved! Go to Solution.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā12-17-2020 05:35 PM
Hi,
The way ACLs work is that you can think of a table...like a house. So the house is the Asset Table. The rooms inside represent the fields on the table. So you have given them access to a room inside the house, but they need to be able to go in the house first.
So you'd want to give write access to the table and to the field.
BUT, you'd also need to modify that write access to NOT be everything (as you've seen).
So to assist with this, you'd want to edit the OOB write ACL, but this time for * (meaning all other fields)...and set that role on that ACL to the normal role that is required for that table or should be required for this table (asset role). This basically says hey members of this special group...you can write to this table....BUT...modified...to only the field or fields I say (via new write acl for table.field).
When do a an ACL for table.* it basically means: for all other fields this ACL applies UNLESS I create an ACL for a specific field, then use that.
So here's the steps you did:
- I created a role called - asset_inv_nbr_update
- I added the group of users to the role
- I created a Write ACL in the Invoice Number field
- I added the asset_inv_nbr_update role to the ACL
Now here's a few more:
- Create a write ACL for the entire table specifying this role you made (as you did, so keep it or re-add it back)
- Edit the write ACL for the table.* to only include the role of users who SHOULD be able to write to this table to all other fields (asset role).
Since there's already a table.* ACL, that is why I'm saying edit it...because that ACL, currently, lets anyone write to all the fields on the table with no role as long as you have table write privilege (which they would through the new table acl you're making for them).
So this allows them to come in to the house, but only to 1 room. All other rooms are locked.
Please mark reply as Helpful/Correct, if applicable. Thanks!
Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā12-17-2020 05:35 PM
Hi,
The way ACLs work is that you can think of a table...like a house. So the house is the Asset Table. The rooms inside represent the fields on the table. So you have given them access to a room inside the house, but they need to be able to go in the house first.
So you'd want to give write access to the table and to the field.
BUT, you'd also need to modify that write access to NOT be everything (as you've seen).
So to assist with this, you'd want to edit the OOB write ACL, but this time for * (meaning all other fields)...and set that role on that ACL to the normal role that is required for that table or should be required for this table (asset role). This basically says hey members of this special group...you can write to this table....BUT...modified...to only the field or fields I say (via new write acl for table.field).
When do a an ACL for table.* it basically means: for all other fields this ACL applies UNLESS I create an ACL for a specific field, then use that.
So here's the steps you did:
- I created a role called - asset_inv_nbr_update
- I added the group of users to the role
- I created a Write ACL in the Invoice Number field
- I added the asset_inv_nbr_update role to the ACL
Now here's a few more:
- Create a write ACL for the entire table specifying this role you made (as you did, so keep it or re-add it back)
- Edit the write ACL for the table.* to only include the role of users who SHOULD be able to write to this table to all other fields (asset role).
Since there's already a table.* ACL, that is why I'm saying edit it...because that ACL, currently, lets anyone write to all the fields on the table with no role as long as you have table write privilege (which they would through the new table acl you're making for them).
So this allows them to come in to the house, but only to 1 room. All other rooms are locked.
Please mark reply as Helpful/Correct, if applicable. Thanks!
Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā12-17-2020 07:40 PM
Hi Allen, I appreciate the very good explanation!!!
Happy holidays!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā03-09-2021 07:46 AM
Hi Allen
Thank you for your post above which has helped me develop my thinking on how to solve my security requirements. I'm not quite there though and wondered if you could review the challenge below and what is missing from my approach.
Let me describe the scenario.
- I have a table, called runbook
- The table has multiple fields, including short description, description, owner etc
- It also has a u_planned_start date/time field
- I have two roles, as follows:
- Author - anyone with this role should be able to write to any of the fields in the runbook table, except the u_planned_start field
- Scheduler - anyone in this role should be able to able to write to the planned-start field only
So, in terms of ACLs
ACL #1 - runbook.write variant 1
- I have defined an ACL for the table, with the write operation
- I have used the None field designator
- The required role for this ACL is Author
ACL #2 - runbook.write variant 2
- I have defined an ACL for the table, with the write operation
- I have used the * field designator
- The required role for this ACL is Author
ACL #3 - runbook.u_planned_start
- I have defined an ACL for the table, with the write operation
- I have explicitly selected the u_planned_start field
- The required role for this ACL is Scheduler
To put these scenarios into a test grid, we have:
Scenario | ACL#1 - None | ACL #2 - * | ACL#3 - u_planned_start |
#1 | Yes | No | Inactive |
#2 | No | Yes | Inactive |
#3 | Yes | No | Active |
#4 | No | Yes | Active |
Scenario #1 : When I have ACL#1 only (ACL #3 inactive)
- the user with Author role is able to write to all fields, including u_planned_start
- the user with the Scheduler role cannot update any fields
Scenario #2: When I change to ACL#2, (ACL #3 inactive)
- the user with the Author role is not able to write to any fields
- the user with the Scheduler role cannot update any fields
Scenario #3: When I have ACL#1 & ACL#3 both active
- the user with the Author role can write to all fields, including u_planned_start
- the user with the Scheduler role cannot update any fields
Scenario #4: When I have ACL#2 & ACL#3 both active
- the user with the Author role is not able to write to any fields
- the user with the Scheduler role cannot update any fields
============================================================
So, I'm not able to get the desired results.
I've read the documentation on ACLs which includes the following statement:
- [Record ACL rules only] The matching table-level and field-level ACL rules must both evaluate to true.
I think this might be the crux of the matter - my roles are intended to be mutually exclusive so an author can't update the schedule and a scheduler can't write to fields other than the planned start. If both ACLs must evaluate to true, this is never going to work.
I'm hoping that I'm missing a simple concept ... or potentially approaching this problem from completely the wrong direction !
Any insight you can share would be much appreciated.
Thanks in advance,
Andy

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā03-09-2021 08:09 AM
Hi,
In the future, if my response here doesn't help, please create your own question with this information, but feel free to mention me
This ensure discussion can be had particular to your issue/scenario and not sort of taking over this thread here that's already been resolved.
For your 3 ACLs...only 1 of them has the scheduler role mentioned, and for that write ACL...it's only for a table.field ACL...
I hope my analogy in the post marked correct here helps you guide through this, but you basically aren't giving them access to the house in terms of writing. So that's step 1. Then...your ACL where they have access to just that field, should work properly.
Please mark reply as Helpful, if applicable. Thanks!
Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!