ACL rules can be applied to various components such as records, tables, fields.
Record ACL Rules
Record ACL rules include table and field names.
- The table name specifies the table to secure. If a table has extending tables, then this table is called a parent table. ACL rules for a parent table work for its child tables as well.
- The field name specifies the field to secure. As a result of table extension, some tables share the same fields. ACL rule for a field in a parent table works for the same field in child tables as well.
ACL rules can restrict access to operations listed in the table below. See the ACL article to learn more.
Operation | Description |
---|
Create | Allows users inserting new records (rows) into a table. |
Read | Allows users displaying records from a table. |
Write | Allows users updating records in a table. |
Delete | Allows users removing records from a table. |
The processing of record ACL rules processes checking in the following order:
- Table ACL rules.
- Field ACL rules.
This order establishes hierarchy: first, users gain access to a more general object and then to a more specific one. To access a record, users must pass both table and field ACL rules.
- If a table ACL rule does not permit access, then access to all fields in the table is denied, even if the user meets the field ACL rule requirements.
- If a table ACL rule allows access, but a field ACL rule denies it, then access to the fields is denied.
Table ACL Rules
First, the table ACL rule must be passed. The base system includes wildcard (*) ACL rules that match any table or any column. So the user must always pass at least one table ACL rule. Access to some specific tables is secured by additional table ACL rules.
Table ACL rules processes checking in the following order:
- Table. For example, Incident.
- Parent table. In our example, it will be the Task table.
- Match any table name (*).
If a user does not meet any table ACL checks, the access is restricted to all fields in any tables. If a user meets a table ACL check, they are to pass the field ACL rules.
Field ACL Rules
When a table ACL rule is passed, field ACL rules start checking in the following order:
- Table and column name. For example, incident.number.
- Parent table and column name. For example, task.number, parent table of the Incident table.
- Any table (*) and column name. For example, *.number.
- Table and any fields (*). For example, incident.*.
- Parent table and any columns. For example, task.*.
- Any table (*) and any fields (*). For example, *.*.
The user must pass the field ACL rule; otherwise, access to the table fields will be denied. For example, a user wants to access the Number field in the Incident table. In this case, the user must first pass the table ACL rule.
If the first field ACL rule is passed, the ACL evaluation stops at the column level: the system stops searching other matching field ACL rules. For example, if user meets the requirements of the field ACL rule for incident.number, the system stops searching for other ACL rules that secure the Number field in the Incident table, i.e., only step 1 is taken.