Advanced ACL configuration

In addition to creating new ACLs or modifying existing ones, you can configure other aspects of ACL functionality.

Task Description
Apply ACL script conditions to reference fields Enable a property to allow script conditions to apply to reference fields if you want to control access to the data that a reference field displays on a form or in a list. There might be an impact to the performance of your instance if you enable this.
Apply ACLs to AJAXGlideRecord (client-side Glide record) Apply ACLs to GlideAjax API calls so that the system queries only the data that the currently connected user has rights to access.
Evaluate the admin override at the access level Force ACL evaluation for admin overrides at the access level. By default, users with the admin role automatically pass the permissions check for this ACL rule when the Admin Overrides option is selected on the ACL rules form.

Apply ACL script conditions to reference fields

If you want to enable script conditions for reference fields, you can add a system property.

The default behavior is intended to improve instance performance. If you want to enable script conditions for reference fields, add the following system property.

Table 1. System property
Property Description
glide.sys_reference_row_check Controls whether the script conditions of Access Control Rules apply to a table's reference fields.
  • Type: true | false
  • Default value: false
  • Location: Add to the System Properties [sys_properties] table

Apply ACLs to AJAXGlideRecord (client-side Glide record)

From within client scripts, it is possible to query arbitrary data from the server via the AJAXGlideRecord (renamed GlideAjax) API, by using syntax similar to a server-side glide record. This is an extremely powerful and useful tool in many deployments.

If you choose to apply access control lists (ACL) to GlideAjax API calls, then you can only query data to which the currently connected user has rights to access. For example, if the user is logged in as an ESS user who has no rights to read the cmn_location table, then any GlideAjax API call by the user will fail.

If you run the system without an ACL checking on GlideAjax calls, then the API can return information that the currently logged in user could not otherwise access via the UI.
Note: Set this property in System Properties > Security.
Property Default

Apply standard security ACLs to AJAXGlideRecord calls

ACL checking enforced

Evaluate the admin override at the access level

If you want to force ACL evaluation for admin overrides at the access level, you can add a system property.

Before you begin

Role required: security_admin

About this task

ACLs are evaluated cumulatively. If there are number of ACLs on any given field and the Admin Overrides option is false (not selected) on one of them, then the effective admin overrides for all the ACLs are considered to be false. This causes admins to be unable to pass even the ACL where the override should be in effect.

Procedure

Add the following property to the system properties table:
Property Description
glide.security.admin.override.accessterm Evaluates the admin override condition at the access term level.
  • Type: true | false
  • Default value: true for new instances, false for upgrades.
  • Location: Add to the System Properties [sys_properties] table