Security rule grants access in form/list but not in related list

Ivar Donado · ‎11-07-2023

We created a m2m related list for a client between Applications and Knowledge Articles. I then created a couple security rules: One for table level and one for all fields in the m2m table, they both use the same script that checks if the user can read both the application and the article and if so it grants access (Ignore the itil role in the screenshot, I was just making a test there):

This is indeed allowing users to see the record in this related list. However, users can't see dot-walked fields there, even though they can see those fields in the knowledge or application tables without issues:

I used the debug security tool, and found that the culprit is one ACL which simply uses the script:

new KBKnowledge().canRead(current);

This ACL is granting access to users in the kb_knowledge form and list but it's denying access in the related list. You would then think "Ok, if new KBKnowledge().canRead(current); is not granting this access, that must mean users don't have access to the record in that related list!" and I wouldn't blame you for that, but the ACL that handles table level access does grant it in the related list:

At this point I am banging my head against the desk. I don't see any logic here. There must something I am overlooking but I can't figure out what.

Ivar Donado · ‎02-21-2024

I forgot to come back and add the solution and the root cause: Apparently, Security rules that use the "current" object are unable to properly work on related lists. So I had to make an additional Security rule on both the knowledge and Application's table that didn't use the current object at all, only roles and the condition builder to make this work.

View solution in original post

SanjivMeher · ‎11-07-2023

You also need m2mtable.None ACL...I think you added m2mtable.*

Please mark this response as correct or helpful if it assisted you with your question.

Ivar Donado · ‎11-08-2023

I have both rules as mentioned in the post, and that's why users can at least see the records in the m2m table and their fields, just not the dot-walked fields from knowledge.

Ivar Donado · ‎02-21-2024

I forgot to come back and add the solution and the root cause: Apparently, Security rules that use the "current" object are unable to properly work on related lists. So I had to make an additional Security rule on both the knowledge and Application's table that didn't use the current object at all, only roles and the condition builder to make this work.