- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-06-2022 12:43 PM
We are creating some new catalog items for HR and Payroll. I started with HR and have the catalog item completed, but now I need to hide the data from non-HR users. I created a read ACL as you can see in the attached image. To me it seems like it's setup correctly, but it's not working. If I impersonate an ITIL user, that user is able to see all of the variables and their values. I have confirmed that the ITIL user doesn't have the admin or Human Resources role that I'm using in the ACL. Any ideas what I might be doing wrong here? TIA
PS - The condition that was cut off at the bottom is just looking for the name of the item and is returning the correct number of matching records.
 
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-06-2022 07:37 PM
Go to the configuration for the variable, and in the permissions tab you can apply which roles can read, write, create.
Example
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-06-2022 07:37 PM
Go to the configuration for the variable, and in the permissions tab you can apply which roles can read, write, create.
Example
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-07-2022 06:41 AM
Thank you for the reply! After checking out this solution, it seems to work as expected. As a user who doesn't have read access, I am unable to see the data in the sc_req_item table, I'm not seeing the data if I create a report and look at it from a list view, or if I inspect the elements on the page using the browser's dev tools.
This does raise a couple of other questions for me though. Does this mean an ACL isn't the best path for hiding variable data on the form? Am I missing other possible "holes" in security where a user without the correct role could still find this data? Lastly, is there a way to quickly apply the roles to multiple variables on the form, or do I have to go one by one?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-07-2022 06:46 AM
These are essentially the "ACLs" for variables and is the recommended way. If you are looking to restrict the whole RITM & SCTASK, and not just the variables, then use the traditional ACLs.
Make sure you do not have any email notifications that contain the variables because it will still show in the email logs, etc.
And unfortunately you'll need to go through them one by one.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-13-2022 08:36 AM
I just tried this myself and it blocked the variables on the portal as well did I do something wrong?