Process order for record ACL rules

Record ACL rules are processed in a certain order.

Record ACL rules are processed in the following order:
  • Match the object against field ACL rules.
  • Match the object against table ACL rules.

This processing order ensures that users gain access to more specific objects before gaining access to less specific ones.

A user must pass both field and table ACL rules in order to access a record object.
  • If a user fails a field ACL rule but passes a table ACL rule, the user is denied access to the field described by the field ACL rule.
  • If a user fails a table ACL rule, the user is denied access to all fields in the table even if the user previously passed a field ACL rule.
Figure 1. ACL matching
ACL matching