Suppose the following table is created and data is set.
In this case, we would like to use ACLs to control whether the data can be displayed or not at the record level.
For example, we would like to control that "columnC = "0" is hidden for users with a certain role".
I thought it would be possible to control it by using ACL's Condition etc., but I could not control it well.
We would appreciate it if you could tell us if there is a way to control it.
Hi Ohki,
You can achieve this requirement either using 1 Business Rule or 2 ACLs.
1. Business Rule approach is as follows;
Note: Make sure to replace itil role in the Condition with your role, and use this 'columnC_Name', '!=', '0' in query.
2. ACLs approach is as follows;
First Read ACL gives the read access of all records of this table to all users with the itil_admin role;
Second Read ACL gives the read access (to all users with itil role) of only those records of this table where Age != 111.
Hopefully this will resolve your problem.
Thank you for the details.
Please allow me to confirm about "2. ACLs".
We are currently looking to apply record-level access control to the ds_document table.
We have created a user "TEST AAAAAA" who has been granted the itil role.
Then, as you explained, we set the following in the read ACLs
Grant all users with the itil_admin role read access to all records in this table.
All users with itil role have read access only to records with Default Version=3.0.
In the above state, when the proxy operation was performed by the "TEST AAAAAA" user, the following results were obtained
When you open a record from the document module, you will see
A "security constraints prevent access to requested page" error occurred and the record could not be displayed.
I think the cause is that the ACL settings are not functioning properly, but how can I get the "TEST AAAAAA" user to display the records?
Can you show records with only Default Version=3.0?
Sorry for the basic question, but we would appreciate it if you could confirm this for us.
〇"TEST AAAAAA" user's settings
〇ACL settings for itil_admin
〇ACL settings for itil
〇Impersonate User(TEST AAAAAA)
〇When you open a record from the document module, you will see
A "security constraints prevent access to requested page" error occurred and the record could not be displayed.
It would be better if you could you check whether ITIL User (a user having itil role ) and User ITIL (a user having itil_admin role) are able to read a list of records as defined in read ACLs.
If they are able to read records properly then we need debug security rules as follows;
1. Open the following module;
2. A new window will open, minimize it make sure to not close it.
3. Impersonate TEST AAAAA user and open the list of records from ds_document table.
4. You will see a lot log records some passed (in green color) and some failed (in red color) as follows;
5. Find your respective ds_document table and observer which rule is failing.
6. To stop debugging click on the following module;
For reference: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0523743
Hopefully the culprit can be identified then.
Thank you for the details.
I checked with debug security rule and found that the error is caused by the role's permissions as shown in the image below.
However, I think I am able to grant roles to users, set ACLs, etc. correctly.
I thought the error might be caused by an existing ACL set in the ds_document table, so I set Active=false for all existing read ACLs in this table, but the error still persisted.
Is there any way to analyze this?
We are trying this in the developer environment.
Just click on ACL as shown belows;
You will find something like this;
Name field in your case, will be equal to something like ds_document_list, in my case it is equal to u_friends_list.
Then you can either modify it or set it to False as per your requirements. In case, if you cannot open it as specified above, then just open ACLs table and apply filter and open the ACL which is on your table as follows;
This ui_page type read operation ACL basically restricts the users other than specified role (in my case admin) from accessing the table irrespective of having record type read operation ACL.
If Name field = tableName like ds_document then users (failing the ACL) will not have access to the form view of table/existing records or create new records.
If Name field = tableName_list like ds_document_list then users (failing the ACL) will not have access to the list view of table/existing records.
Hopefully this will resolve your query.
