Group Manager should be able to remove/add people to the group

Go to solution
Community Alums
Not applicable

‎03-31-2024 02:19 AM

Hi Team,

 

I have written Create/Write/Delete ACls so that only group manager can remove/add users to the group:

 

I have created 3 table level ACls which is sys_user_grmember.None with Script condition as below:

 
answer = false;
if (current.group.manager == gs.getUserID())
    answer = true;
 
and role assigned is ITIL
 
When I open sys_user_grmember table it was showing the fields(User,Group) as read only
 
TO avoid this , I have written 4 more ACls which is for Create and Write Operation 
sys_user_grmember.User  and 
sys_user_grmember.Group
with role as ITIL and script Condition as same as above which is:
 
answer = false;
if (current.group.manager == gs.getUserID())
    answer = true;
 
Now when I as Group Manager open sys_user_grmember form and click on New button I am able to add/remove users without any issue.
 
But when I goto group table and scroll down to the related list called Group Members and click on Edit button and add Members it shows as added but when I scroll down the related list, it is not added. 
In other words, I am not able to Add Members from the Group Members related list.
 
 
0 Helpfuls
  • 845 Views
1 ACCEPTED SOLUTION

Go to solution
Sohail Khilji
Kilo Patron
Kilo Patron

‎03-31-2024 03:55 AM - edited ‎03-31-2024 04:00 AM

Hi @Community Alums ,

 

Create ACL(‘sys_user_grmember’)
The create ACL works a little bit differently because we don’t have access to ‘current.group.manager’ before the record is created. Because of this, you need to open up create permissions to the role that your group managers will have. Typically these managers will have the ‘itil’ role anyway so you can just set up your ‘create’ ACL with the ‘itil’ role defined in the related list at the bottom of the ACL.
 
‘Restrict Changes to Group Managers’ business rule
Opening up the create ACL is necessary for this configuration to work, but needs to be backed up by some additional security in the form of a ‘before’ business rule. The business rule performs a secondary check on insert/update of the group member record to ensure that the user is actually a group manager or has the ‘user_admin’ role. If not, it aborts the insert/update and alerts the user.

 

Please follow the below steps on your ACL to set Group.manager is dynamic true-

SohailKhilji_0-1711882510824.png

 

After selecting the above option please select group-->group fields

SohailKhilji_1-1711882511071.png

 

Now select Manger

SohailKhilji_2-1711882510785.png

 

Now select is Dynamic me

SohailKhilji_3-1711882510788.png

 

Put it in all the ACL's for create and write written for the table "sys_user_grmember"

If you want admins to perform all the actions please mark admin Overrides to 'true', this means that the ACL will not apply for the admins.


☑️ Please mark responses as HELPFUL or ACCEPT SOLUTION to assist future users in finding the right solution....

LinkedIn - Lets Connect

View solution in original post

0 Helpfuls
2 REPLIES 2

Go to solution
Sohail Khilji
Kilo Patron
Kilo Patron

‎03-31-2024 03:55 AM - edited ‎03-31-2024 04:00 AM

Hi @Community Alums ,

 

Create ACL(‘sys_user_grmember’)
The create ACL works a little bit differently because we don’t have access to ‘current.group.manager’ before the record is created. Because of this, you need to open up create permissions to the role that your group managers will have. Typically these managers will have the ‘itil’ role anyway so you can just set up your ‘create’ ACL with the ‘itil’ role defined in the related list at the bottom of the ACL.
 
‘Restrict Changes to Group Managers’ business rule
Opening up the create ACL is necessary for this configuration to work, but needs to be backed up by some additional security in the form of a ‘before’ business rule. The business rule performs a secondary check on insert/update of the group member record to ensure that the user is actually a group manager or has the ‘user_admin’ role. If not, it aborts the insert/update and alerts the user.

 

Please follow the below steps on your ACL to set Group.manager is dynamic true-

SohailKhilji_0-1711882510824.png

 

After selecting the above option please select group-->group fields

SohailKhilji_1-1711882511071.png

 

Now select Manger

SohailKhilji_2-1711882510785.png

 

Now select is Dynamic me

SohailKhilji_3-1711882510788.png

 

Put it in all the ACL's for create and write written for the table "sys_user_grmember"

If you want admins to perform all the actions please mark admin Overrides to 'true', this means that the ACL will not apply for the admins.


☑️ Please mark responses as HELPFUL or ACCEPT SOLUTION to assist future users in finding the right solution....

LinkedIn - Lets Connect

0 Helpfuls

Go to solution
Sumanth16
Kilo Patron

‎03-31-2024 05:49 AM

Hi @Community Alums ,

 

Try Below ACL Script with no role

Create Delete and Write ACL on table level (‘sys_user_grmember’) 

check advanced 

in script write below

 

if(typeof parent != 'undefined' && parent.manager == gs.getUserID()){
   answer = true; //Allow access if user has 'user_admin' role or is group manager
}else{

answer = false;

}

 

If I could help you with your Query then, please hit the Thumb Icon and mark it as Correct !!

 

Thanks & Regards,

Sumanth Meda

0 Helpfuls