Analyzing ACL data

Usage Analytics measures how often ACL rules allow or deny users to see database query results.

The system evaluates access control rules that use script-based permissions after fetching records from the database. If a user passes the script-based permissions, the system allows the user to see the records. If a user fails the script-based permissions, the system denies the user access by discarding any records from the results that match the access control rule.

To help determine how often the system is performing such unneeded database queries, Usage Analytics collects information about each row-level access control transaction:
  • The table name.
  • The results of the permission check as the value allowed or denied.
  • The number of times row record access was allowed or denied.

Sending information to Usage Analytics

When a user is tries to access records that are restricted by ACLs, the discarded records can be sent to Usage Analytics. Administrators can add and enable a property to control the sending of this information to Usage Analytics. The property must be added to the System Properties [sys_properties] table.

Property Description Default
glide.secury.event.acl_db_eval.send When enabled, this property sends lists of restricted records to Usage Analytics. false