sys_template.read ACL not allowing users to read

andypollino · ‎08-30-2017

I'm tearing my hair out over this one.

I want to allow users access to templates based on User Criteria. To accomplish this, I've created a script include that evaluates whether a user belongs to a specific user criteria. The constructor takes a user_criteria sys_id, and the function userBelongs() evaluates whether the currently logged in user "belongs" to that User Criteria. It works to my satisfaction, as tested by background scripts and invoking from business rules. I made a custom field on the sys_template table called u_user_criteria that references the user_criteria table. I created a very simple user criteria that has a single user in the Users field and confirmed that my test user, Ben, met the conditions and that the script include agreed that he met the conditions.

I then added an ACL to the sys_template table:

Type: Record

Application: Global

Operation: Read

Active: true

Advanced: true

Admin overrides: true

Name: Template [sys_template]

Requires role: [blank]

Condition: [blank]

Script:

var foo = new UserCriteriaMatch(curent.u_user_criteria);

answer = foo.userBelongs();

Yet, when I impersonate Ben, I don't see my desired record. I also don't see a line at the bottom of the page indicating that an ACL has restricted any records (I mention this because I previously ran into this problem while using others' solutions: Re: Make template available for multiple groups )

Hopefully you can help me!!

andypollino · ‎08-30-2017

The gs.log opened a whole new area for more careful debugging that I'm embarrassed to admit I hadn't previously explored

After lots of messages, I've discovered that current.u_user_criteria has never had a value (using the debug line gs.log("andy6 u_user_criteria: " + current.u_user_criteria);)

My system log when searching for messages that begin with "andy6 u_user_criteria" results in 9 records of exactly that with no sys_ids, as I'd expect.

This got me thinking about the number nine. Shouldn't I expect to see 120 entries for the 120 templates I have? Or at least 36 for the 36 that aren't otherwise visible to Ben? I do not know why this ACL isn't running on the template I'd like it to run on.

Dave Smith1 · ‎08-31-2017

This got me thinking about the number nine. Shouldn't I expect to see 120 entries for the 120 templates I have? Or at least 36 for the 36 that aren't otherwise visible to Ben? I do not know why this ACL isn't running on the template I'd like it to run on.

That's an interesting point, actually - do you see one log per ACL executed, or do you see one log line for each record the ACL evaluates? I'd have thought the former, but not tried it meself.

I've got a few other debugging tips if you want to explore further, but it sounds like you've got some deeper insight into the underlying workings now!

andypollino · ‎08-31-2017

I saw one log line for each record the ACL evaluated

I wasn't able to discern what the criteria was to have a record considered by that ACL.

I thought it might be every active, global, Incident template, so I added a user criteria to each of those and had logged the user criteria at the start of the ACL. Six of the nine log lines included a criteria (I expected nine since I updated all nine records that fit that set of conditions).

I did some simple testing and determined that "global=true" appears to be a requirement of the template record for the ACL to consider it. When I unchecked the "Global" box, but kept everything else the same, another test run eliminated the record from the log.

I have pretty much admitted defeat for the time being and might pick it up later, but knowledge is power and this new insight has given me the power to explore later. Thank you again for the assistance, and I'd be interested in those debugging tips for when I attack this roadblock again.