Versions Compared

Old Version 1

changes.mady.by.user Dina Baksheeva

Saved on

compared with

New Version Current

changes.mady.by.user Dina Baksheeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Tip

Role required: security_admin.


Use ACL stands for (Access Control List. It specifies which ) to specify the users and/or processes are allowed to access the objects,  as well as what and operations are allowed on the given objects.

In SimpleOne, rules for ACLs check users against a set of requirements before they are allowed to work with the data.

ACL

in details

ACL rules specify:

  • The object to secure.
  • The operation to secure.
  • The required permissions to be met.

Objects

ACL restricts access to the object. Each object consists of the type and the name of a table, field, or record.

This The following table gives examples of objects:

TypeTableColumnObject Secured
recordProblem (itsm_problem)(not set)The Problem table.
recordIncident (itsm_incident)activeThe Active field in the Incident table.

Operations

In ACL, the term operation refers refers to a valid action carried out performed on the specified objectMultiple operations can be carried out performed on some objects, like records.

This table gives examples of operations:

OperationTableColumnOperation Secured
[Create]itsm_problem(not set)Creating records in the Problem table. Generated ACL record name is [Create].itsm_problem
[Write]itsm_incidentactiveUpdating the Active field in the Incident table. Generated ACL record name is [Write].itsm_incident.active

Permissions

The permissions specify the details of the access to the named object and operation. Responsible persons should specify permission with the following information:

  • User role or roles in the Role field
  • Condition (or several) conditions
  • .
  • Conditions.
  • The A script returning 'true ' or 'false ' or or setting the the answer variable to 'true ' or 'or false'.

See the Create an ACL RuleRules article to learn more.

To perform a particular operation over a particular specific object, a user must pass ALL permissions listed in the access control rule. For example, to access an active record in the Article table, a user must meet the following conditions:

Permission typeRequirementDescription
Requires roleRolesRequires Required role: service_ownerOnly users with the service_owner role to can read articles.
ConditionOwned by is (dynamic) Me

The article is available to the owner of the Content Item this article is related to.

Info

An empty condition always returns 'returns true'.


Image Modified

Info

The acl.disabled property allows disabling you to disable all ACL verificationschecks

To turn of disable security checks, please follow the steps below:

  1. Navigate to System Properties → All PropertiesACL Property.
  2. Find the acl.disabled property using the list search boxes and open it.
  3. In the Value field, set enter true to disable security ACL or false to enable it.

  4. Click Save or Save and Exitexit.

Warning

Setting If you enable this property to 'true' , you may damage your SimpleOne instance, so please . So use it carefully and do not forget to turn it off after all necessary operations.


How ACL evaluate permissions

Image RemovedImage Added

  1. When the data is requested, the system checks if there are
ACLs matching
  1. ACL rules related to the requested object and operation.
 If
  1.  
  2. If there is a
matching
  1. rule
is found
  1. , the system checks the user
against all
  1. against all the requirements and then either permits access to the object and operation or denies it.
  2. If the user does not meet one of the requirements, the system
will restrict
  1. restricts access.
    • The system checks all rules related to the requested object. If the user does not meet all ACL's requirements for the requested object and operation, the system denies access to them.
Note

If the requested object and operation do not have related ACLs,  the the user gets access to it. However, it is a rare case: a set of default access control rules protecting all record operations are delivered in OOB“out-of-the-box” configuration.

The access denial has different effects affects on what the user can see or do, depending on the ACL rule itself.  For For example, if a read ACL denial is denied, the system restricts the user from seeing to view the object. Depending on the object, the user will does not see a fieldthe fields, records from a list, or a UI pagepages.

The table below lists the results of failing an ACL rule for a particular operation and object type.

OperationResults of ACL rule failing
Create

The New UI actions are user interface action is not displayed on the pages for the user. Records cannot be inserted into the Users cannot also insert records into tables via API protocols as well.

If create ACL has there is a condition specifying in the create ACL that specifies a field value, it is always evaluated as returns false.  In In newly created records, fields are regarded as empty until the record is saved.

Read

The form and list objects are not displayed for to the user. Records cannot be retrieved Users cannot also retrieve records via API protocols as well.

Write

The form fields are not editable for the user:  they they are read-only. Records cannot be updated Users cannot also update records via API protocols as well.

Delete

The Delete UI actions are user interface action is not displayed on pages to the forms for the user. Records cannot be deleted from the Users cannot also insert records into tables via API protocols as well.


Table of Contents
absoluteUrltrue
classfixedPosition
printablefalse