Understanding Acess Control List (ACL) Admin Overrides - Support and Troubleshooting

Understanding Acess Control List (ACL) Admin Overrides Issue  When creating or modifying an Access Control List (ACL) one of the fields available is called Admin Overrides. This field sometimes can cause confusion, since only unchecking it and adding a role are not enough to prevent Admin users to access specific data.

Admin Overrides:

As per documentation: Select this check box to have users with the admin role automatically pass the permissions check for this ACL rule. Admin users pass regardless of what script or role restrictions apply. However, the nobody role takes precedence over the admin override option. If an ACL is assigned the nobody role, admin users cannot access the resource even when Admin overrides is selected.

Clear this check box if administrators must meet the permissions defined in this ACL rule to gain access to the secured object. Since administrators always pass role checks, use the condition builder or Script field to create a permissions check that administrators must pass.

That means that only unchecking the Admin Override checkbox or unchecking the Admin Override checkbox and adding a role are not enough to block Admin user to gain access. It's necessary to add a condition in the condition builder or check the Advanced option and add a script preventing Admin to have access

For example you want prevent Admin users to access table A.

Steps you should follow:

Create an read ACL Uncheck the Admin Override Optional - Add a role Add a condition and/or a script (checking the advance checkbox) Example of a simple script:

var answer = true; if (gs.getUser().hasRole('admin')) { answer = false; } Release All versions