Hello!

So I have 3 custom roles, let's say their names are x_admin, x_lead, and x_user. I'm working on the assessment instance table [asmt_assessment_instance] and I'd like to limit read on metric type "xyz" depending on the 3 roles above.

So users with x_user roles should only see their own records (they submitted) of metric type xyz.

x_lead users can see their own record as well any x_users who is a part of their team. (teams are defined in a different table which I will call GlideRecord to work out the logic.) They are unable to see any other team's records besides their own.

x_admin can see all records of metric type xyz as well as all the teams's records.

I have 3 --None-- ACs and 3 * ACs set up, one for each role. (image attached as above.)

I've been trying to configure ACs the past few days but I can't seem to make it work. My current problem is that my current script for the x_user and x_lead and seems to work but upon enabling the AC for asmt_assessment_instance.* for x_admin, when I impersonate an x_lead, they access to everyone's record? I'm so confused because x_lead doesn't have any x_admin role in it but I'm not sure why one affects the other.

If possible, can someone give a better top-level view on how they would approach this?