ACL for HR Case

Jon23 · ‎04-30-2015

We are currently implementing HR Service Management and have a requirement where an assignment group can restrict case access to their assignment group only.

I have achieved this by adding a new field on the form 'Restrict Case Access' and a new read ACL rule:

Everything appears to work as expected, however, my question is, should I be using 'hr_Factory.getSecurityManager(current, gs).canRead()' as many of the other HR ACL rules appear to be using - after reading the wiki I am confused on how to work with these custom wrappers.

Am i creating issue for myself by not using the wrappers?

Jon23 · ‎06-29-2015

still seeing the error after changing the code:

org.mozilla.javascript.EcmaError: "plt_hr_caseSecurityManager" is not defined.


     Caused by error in Script Include: 'hr_Factory' at line 53






         50:             switch (_gr.getTableName()) {


         51:                 case "hr_case":


         52: gs.log("JW-DEBUG: HR CASE");


==>   53:                         return plt_hr_caseSecurityManager.getSecurityManager(_gr, _gs);


         54:                 default:


         55: gs.log("JW-DEBUG: DEFAULT");


         56:                         return hr_BaseFactory.getSecurityManager(_gr, _gs);

jppasala · ‎06-29-2015

Hi jwalton,

Can you please verify that the script include : "plt_hr_caseSecurityManager" exists? If I am reading the error right, it is stating that the script include "plt_hr_caseSecurityManager" is not defined (the script file name and class are same - usually a convention).

Probably, you have the script file name and class name defined correctly but can you double check?

Thanks,
JP

Jon23 · ‎06-30-2015

Thanks JP!

The error was being caused by having an upper case 'C' for the script include name and and a lowercase 'c' for the classes.

plt_hr_CaseSecurityManager vs plt_hr_caseSecurityManager

I'm still having issues with my ACL working correctly (restrict query!?) but at least there is no error in the log

jppasala · ‎06-30-2015

Hi Walton,

This usually means that the restriction in your code is probably not what you want. Is the code being too restrictive or not too restrictive? Here is what you can do to diagnose the issue:

- Add log messages to indicate whether the user is permitted or not permitted to see the details.

- Turn on the "System Diagnostics" > "Debug Security".

- The logs at the bottom of screen will indicate which function authorized the user to view the record.

Thanks,
JP

Brian O_Donnell · ‎07-20-2015

Did you get past the restrict query issue? I am having what appears to be a similar issue where it is being too restrictive and I am looking for some help.

Thanks!