Simple ACL script not working

e_wilber · ‎07-28-2017

Hi everyone,

I modified the OOB ACL for Incident (read) from: current.opened_by == gs.getUserID() || current.caller_id == gs.getUserID() || (current.watch_list.indexOf(gs.getUserID()) > -1

to:

(current.opened_by == gs.getUserID() || current.caller_id == gs.getUserID() || (current.watch_list.indexOf(gs.getUserID()) > -1) || (gs.hasRole('event_group') && gs.getUser().isMemberOf(current.assignment_group)));

And it's not allowing read access. What I tried to add to the OOB condition is a check to see if the user has a custom role AND is a member of the assignment group. The other conditions should remain the same.

My test user has the event_group role and is in the assignment group of multiple incidents but they aren't seeing any records on the incident table.

This custom role does not inherit the itil role.

Any ideas what is misfiring?

Jaspal Singh · ‎07-28-2017

Hi Eric,

Could you try using below code.

(current.opened_by == gs.getUserID() || current.caller_id == gs.getUserID() || (current.watch_list.indexOf(gs.getUserID()) > -1)) || (gs.hasRole('event_group') && gs.getUser().isMemberOf(current.assignment_group));

e_wilber · ‎07-28-2017

Hi Jaspal,

Thank you for the suggestion. I tried it but the user is still unable to see any incidents. Any reason to suspect it would be easier to create a new read rule that just has my new logic and leave the original OOB?

Jaspal Singh · ‎07-28-2017

Hi Eric,

Could you confirm for which all conditions this should be visible. Once done I will help you with the script to be associated with that ACL.

e_wilber · ‎07-28-2017

Hi Jaspal,

My goal is to add new logic to the end of the out of box incident read ACL. The one out of box is: current.opened_by == gs.getUserID() || current.caller_id == gs.getUserID() || (current.watch_list.indexOf(gs.getUserID()) > -1)

All I want to do is add an exception to that where all of the above is still accurate BUT if those fail and the user has my custom role AND in my custom group, they get to see the incident data.

Below is what the security logs are showing. The one that's failing is the OOB incident read that requires the ITIL role. The one with the star is my new attempt to apply a new ACL instead of append the out of box one. The other one with three checks is the original code posted above.

Shouldn't I get access since I have all 3 checks?