Learn details about Deny-Unless ACLs.

Deny-Unless ACLs are evaluated with a "deny-unless" approach. The ACL defines the users that will NOT be denied. Said another way, the user will be denied access unless the role, condition, and script requirements are met.

Important: Deny-Unless ACLs will take priority against Allow-If ACLs in ACL Evaluation as it will be evaluated first.
A Deny-Unless ACL produces 2 outcomes
Evaluation outcome Result
Pass The defined roles, data conditions, security attributes, and script requirements are met. The ACL proceeds to further evaluation
Important: Allow-If ACLs must still grant access for the subject to be able to access the resource.
Fail The Deny-Unless ACL is marked as failing and access will be denied.
The following is an explained example of a Deny-Unless ACL:
  • ACL has roles sn_hr_core.manager and itil
  • Condition has active = true
  • script has answer = gs.isLoggedIn();
The user is denied access unless all 3 requirements for this ACL are satisfied. In order for this Deny-Unless ACL to pass, a users needs either the sn_hr_core.manager or itil roles, be accessing a record that has active field = true, and be logged in. The Deny-Unless ACL will fail if any of the three requirements isn't met.