What is ACL operation conditional_table_query_range?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-14-2025 07:49 PM - edited 05-14-2025 08:13 PM
Hi all... with the latest security maintainance the system created many ACLs for operation:
conditional_table_query_range
I am trying to plan fixes for what the maintenance missed, and I seems I may need to create some of these, but there is zero documentation I can find for this operation.
Operation 'query_range', I understand, but it is odd that conditional_table_query_range is unmentioned (unless I have missed it)
One thing I have noticed is that query_range acls made by the system are always for role 'public' and the conditional_table_query_range ones have other roles attached.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2025 07:26 PM
Thanks for the extra information, I will dig in a little and post what I find.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2025 06:47 AM
Q. What are the conditional query ACLs and why are they used?
A. There are two types of ACLs: conditional and unconditional. Any ACL where the access to the data is dependent on individual records is a conditional ACL. Creating table level ACLs with conditional_table_query_range allows us to defer the exact access calculation to the field level, and enables to ensure that all the users that have existing read access get range query access, as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2025 07:25 PM - edited 05-15-2025 07:30 PM
This is interesting, thanks, but I am still a little unclear. It sounds like it is for some kind of caching strategy to be more efficient to process?
Are you saying that if access to a task record is not dependent on a value on the task but, for example on the user being in a specific group, we should use query_range operation instead of conditional_table_query_range?
In contrast, if access is because the user is in the same company as company field on the task, we should use conditional_table_query_range?
Do you know if the system enforces correct usage, or will cause errors if you don't?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2025 11:25 PM
The original maintenance KB has been updated with a brief mention of conditional_table_query_range, but I don't really understand what it fully means. My brain needs a concrete example.
