ACL - Complete Overview

Definition:

Access Control Rules allow access to the specified resource if all three of these checks evaluate to
true:
1. The user has one of the roles specified in the Role list, or the list is empty.
2. Conditions in the Condition field evaluate to true, or conditions are empty.
3. The script in the Script field (advanced) evaluates to true, or sets the variable "answer"
to true, or is empty.
The three checks are evaluated independently in the order displayed above.

Fields on the ACL form:

Type Used for

Application Refers to the specific application to which the ACL applies to.
Operation Used to select the operation for which the access should be granted.
Active Decides whether the ACL is active or inactive.
Advanced Check Box Enables script editor
Admin Overides Allows admin to override the ACL.
Name Used to select the table and also specific field on the selected table.
Description Provides
Required Role Allows to select Roles to be granted with access
Condition builder ACL executes only if the condition meets. Can also be empty.
Script Script editor. (only available if the advanced checkbox is checked.

ACL Rule Types:

Record ACL Rules

Processor ACL Rules
Table ACL Rules
Field ACL Rules
UI page ACL Rules
Client-Callable Script Include ACL Rules

Record ACL Rules:

Record ACL processed in the following order.

Match the object against table ACL Rules

Match the object against field ACL Rules
Processor ACL Rules:

It specifies the processor you want to secure

Table ACL Rules:

It specifies the table you want to secure.

Field ACL Rules:

It specifies the field you want to secure from the slected table.

UI Page ACL Rules:

It specifies the UI page you want to secure.

Client-Callable Script Include ACL Rules

It specifes the script include that you want to secure.

NOTE:
All ACL rules honor (*) STAR rule if they can't find a more specific ACL for those
resources.

ACL execution watcher:

The ACL configuration watcher lets you know what related ACLs exist on a table when you
insert, update, or delete an ACL on the same table.

Show ACL execution plan:

Administrators can view how ACLs relate to each other by viewing an execution plan for
any ACL in the instance.

ACL security rules window:

Red highlight Deleted or deactivated

Blue highlight Modified
Green highlight Added or becomes active
Masked Was effective until you made a change
Unmasked Just made effective when you made a change
ACL Debug:

You can debug ACL by enabling security debug using application navigator.

ACL Rule output message:

ACL debugging displays ACL rule output message at the bottom of each list and forms.

The output message does the following,

1. Improves readability.
2. Includes context information.
3. Show the results of each type of ACL test.
4. To provide hyperlinks to the ACLs that run on the list or form.

Message Information:

Time The total time used to process this ACL rule

Information that uniquely identifies each ACL rule in the format: <ACL rule type>/<ACL rule
Path
name>/<Operation>
Context The object being evaluated by the ACL rule.
The return code of the ACL rule. A true value passes the ACL rule. A false value fails the ACL
RC
rule.
A brief summary of processors and scripts, followed by ACL results for each table-level and
field-level ACL evaluation. Most ACL evaluations show an overall pass or fail result
followed by a breakdown of the results for each type of ACL criteria:
Rule
Role
Condition
Script