Hello everyone!

Our change manager requested that the change calender should be made available for users without the itil-role. To meet demands I created and edited the ACLs for the Change Request table making the fields Number and Short description available for the role "Public".

However when testing I noticed that this configuration made the records available for users who were not logged in through our MFA. Since the information could be sensitive we only want it accessible for users who are logged in but doesn't neccessarily have any role.

To solve this I added the following script to the Read ACL on the Change_Request.none-rule:

if (gs.isLoggedIn()){
	answer = true;
}

When testing, it was working as intended. I tested by impersonating users with roles and without roles and could see the records. And when I tried to access the report (change calender) when not logged in I couldn't access any records.

When I then moved this to production it was evident that users were facing issues. Most users were not able to access the records any more. However, when I Impersonated the users I could see the records but when they shared their screen I could confirm that they couldn't access them (neither through the Change Calender or the Change_request-table for an ITIL-user).

So I commented out the code for isLoggedIn(); and the users could access the records again. But of course this makes the records available for user who are not logged in, which we don't want.

So can anyone explain why this isn't working for me and how I can resolve it?

Why is isLoggedIn() returning false for Logged in users?
Why is the experience different from the users perspective and when I impersonate the user?