ACL configuration watcher

The ACL configuration watcher lets you know what related ACLs exist on a table when you insert, update, or delete an ACL on the same table.

The ACL configuration watcher is an interceptor window that displays every time you make important changes on the Access Control [sys_security_acl] table. It displays a security rules summary window where you can view ACLs related to the one you are modifying. You cannot modify any ACLs from the security rules window. To make any modifications, close the watcher window and go to those ACLs.

The ACL configuration watcher is available with the Geneva release.

The ACL configuration watcher does not appear in the following situations:
  • If you save or update an ACL record without actually making any changes.
  • If you make minor updates (not an insert or delete), such as updating scripts, conditions, and the admin-overrides option.
  • If the ACL record is not active.

ACL Security Rules window

The configuration watcher shows the ACL execution plan. The execution plan is displayed in the security rules pop-up window. You can view this kind of information:

Table 1. ACL configuration window elements
Item Description
red highlight An ACL that is deleted or deactivated.
blue highlight An ACL that is modified.
green highlight An ACL that is added or becomes active.
Masked An ACL that was effective until you made a change.
Unmasked An ACL that was just made effective when you made a change.
Figure 1. Configuration watcher example
Configuration watcher

Show ACL execution plan

Administrators can view how ACLs relate to each other by viewing an execution plan for any ACL in the instance.

Before you begin

Role required: security_admin

Procedure

  1. Elevate to a privileged role.
  2. Open an ACL that is a record-type ACL.
  3. Click Show ACL Execution Plan.

    The security rules window appears for the ACL.

    An ACL execution plan
    Table 2. ACL execution plan window
    UI item Description
    Title The name of the ACL.
    Tab name If the ACL is create, read, write, or delete.
    Row level Row-level ACLs that run on this table.
    Field level Field-level ACLs that run only on this field (or column in the table).
  4. Click Show all to show all related ACLs, including those ACLs that are overridden and generic ACLs that apply to all records. Overridden ACLs have a line through the name and generic ACLs have the wildcard character asterisk (*) for the name.
  5. Click Show Effective to show only the immediate ACLs related to the one you are viewing. This action hides the ACLs on tables from which the ACL table is extended and the generic wildcard (*) ACLs.

Use the ACL configuration watcher

Use the ACL configuration watcher after you elevate to security administrator.

Before you begin

Role required: security_admin

Elevate to a privileged role

Procedure

  1. Open an ACL that is a record-type ACL.
  2. Perform an action on the ACL, such as modifying it, or selecting an option from the context menu like Insert.
  3. If you modified any values on the Access Control form, right-click the header and select Save or click Update or Delete.

    The Security Rules window appears. The system did not yet perform the database action on the ACL, so the changes are not yet saved.

    These are examples of security rules on the Visual Task Board application's Private Task [vtb_task] table. See ACL configuration watcher for a description of the items on this window.

    Deactivating an ACL
    Adding an ACL
    Deleting an ACL
    Modifying an ACL
  4. Just as with the execution plan, you can click Show all to show all related ACLs, including those that are overridden and generic ACLs that apply to all records, or click Show Effective to show only the immediate ACLs related to the one you are viewing.
  5. Hover your mouse over any of the ACLs to see a description.