ACL at field level

Job1 · ‎08-31-2022

Hi

I created this Read ACL on sys_user field email.

I put a simple condition of if email does not contain @1234 then only sn_hr_core.case_writer role can read this field.

However, it just hides it everywhere now, even if the condition is not met...

Tom Sienkiewicz · ‎08-31-2022

Yes, by adding a new ACL for a field, you're basically masking whatever more generic ACLs were allowing to do earlier.

SN will check ACLs from most specific to most generic, so it will first check your ACL to say it a user can acess the field or not. Your ACL basically now says "only allow to see the email field if the User has "sn_hr_core.case_writer" role AND the field does not contain @1234 ".

which probably is not quite what you meant.

To mitigate this you need another ACL for same field, saying if email DOES contain @1234, allow roles X, Y, Z to see it (you need to figure out which roles should then see this field).

View solution in original post

Tom Sienkiewicz · ‎08-31-2022

Yes, by adding a new ACL for a field, you're basically masking whatever more generic ACLs were allowing to do earlier.

SN will check ACLs from most specific to most generic, so it will first check your ACL to say it a user can acess the field or not. Your ACL basically now says "only allow to see the email field if the User has "sn_hr_core.case_writer" role AND the field does not contain @1234 ".

which probably is not quite what you meant.

To mitigate this you need another ACL for same field, saying if email DOES contain @1234, allow roles X, Y, Z to see it (you need to figure out which roles should then see this field).