In list view ACLs on referenced dot-walked records are evaluated only against the specific displayed derived fields


When adding a Reference to a table and derived dot-walked fields from the referenced record to the List view on the original table, the ACLs on the referenced table do not have access to the full referenced record. Instead, they have access only to those specifically derived fields.

For example:

Add a referenced field on Table A that references Table B.

Add derived fields to the List view of Table A.

When viewing a list of Table A records, the ACLs on Table B run, but the "current" inside those ACLs is a GlideRecord containing only the specifically derived fields displayed on the Table A list. This affects usability when allow/deny decisions are based on fields that are present in the full Table B record, but are not present when the Table B record is part of a list of Table A records.


Steps to Reproduce


  1. Create table test_table_a (col1, col2, col3)

  2. Create table test_table_b (col1, col2, col3)

  3. On Table A > add column > name = table_b; type = reference; reference = test_table_b

  4. Add read ACL on test_table_b

    1. admin overrides = false

    2. advanced = true

    3. script > answer = (current.isNewRecord() || current.col3 == 'foobar')

  5. Insert record into Table B (col1 = foobar, col2 = foobar, col3 = foobar)

  6. Insert record into Table A (col1 = foobar, col2 = foobar, col3 = foobar, table_b = <reference to foobar record inserted into test_table_b>

  7. Configure test_table_A list configuration and add TableB.col2 (remove Table B reference, if there)

  8. Load List view on Table A and notice that TableB.col2 is not populated (go to Table B List view and see col2 value)


This is expected behaviour and working as designed. In order to optimize the performance of the list view you can apply one of the following:

Workaround 1: Add the column referenced in ACL to the List view.

Adding the column to the List view results in the value being part of the query. When the ACL is executed, that column value is now present and can be evaluated correctly.


Workaround 2: Rewrite ACL to not depend on the current value for the field that is not in the List view.

The ACL can be rewritten to not depend on the current value for the column that is not displayed. If the ACL cannot be reworked to avoid using that column, it can query the value directly from the database using GlideRecord. Note: There is a performance hit to execute the additional query.


Related Problem: PRB573139