Access Control for Fields on a Type


Is it possible to define ACLs on fields of a type?

For example, our type has 10 fields and one of them is PII. We need to be able to deny access to the single PII field while providing them read access to other 9.

We tried creating the PII field as a separate entity type, denying access to that type and then creating a reference type field on our original type. It appears though, if you have read access to the original type then you can access the reference type regardless of the permissions.


Field-level ACLs are not supported at this time.

The approach you describe should work. Couple of follow-up questions:

  1. Did you ACLEnable the entity type holding the PII value(s)?
  2. Did you Enable ACLs (create a EnableAclPrivilege record for the type with enable==true)

If the type is AclEnabled, Acls are populated, and the AclPrivilege is enabled, it should work.

Documentation on Access Control (an In Depth article) can be found in the C3 Documentation site, accessible through Help->Documentation in Console.

  1. Did you ACLEnable the entity type holding the PII value(s)?
  2. Did you Enable ACLs (create a EnableAclPrivilege record for the type with enable==true)

After creating the types/objects below, when I do a PiiTest.fetch() from the Pii User, I get a “not authorized” error.

But when I do Test.fetch({include: "this,piiData.field1"}), I can see the piiData.field1 in the response.


entity type Test schema name "TST" {
  field: string
  piiData: PiiTest

entity type PiiTest mixes AclEnabled<PiiTest> schema name "PII_TST" {
  field1: string
  field2: string


  "id": "NonPiiRole",
  "name": "NonPiiRole",
  "description": "Allows all access to specified types below.",
  "permissions": [
      "access": "allow",
      "typeName": "Test",
      "action": "read"


  "id": "NonPiiGroup",
  "name": "NonPiiGroup",
  "roles": [
      "id": "NonPiiRole"


  "id": "pii_user",
  "name": "PII User",
  "groups": [
    { id: "NonPiiGroup" }

EnableAclPrivilege Record:

  "id": "PiiTest_EnableAclPrivilege",
  "name": "PiiTest_EnableAclPrivilege",
  "enabled": true,
  typeName": "PiiTest"

You’re getting “not authorized” error. because you’re missing a third point that will basically connects your user to instances of PiiTest.
You can enable the platform to create those connections by creating an instance of AclPrivilege like:

      "id": "PiiTest_privileges",
      "name": "PiiTest AclPriviledge",
      "typeName": "PiiTest",
      "canUpdate": "true",
      "canRemove": "false",
      "canModifyAcl": "false",
      "acl": {
        "expr": "<some-expression-that-returns-user-id>"

After that, run PiiTest.populateAcl() and you will see the user (or one of its AdminGroups or one of its Roles) inside field acl of PiiTest. Check this discussion Limit Data visibility with ACLs

Also, ACL does not work at field level, but only at instance level.


I want the user to get a “not authorized” error. The issue is the lack of “not authorized” error when that user accesses PiiTest from the Test type.

Desired functionality for Pii User:
PiiTest.fetch() == “Not Authorized”
Test.fetch() == Returns data for fields defined directly on this type
Test.fetch({include: “this,piiData.field1”}) == “Not Authorized” or it does not return piiData.field1


PiiTest.fetch() == “Not Authorized”

I guess because in the role you give access to read action that probably grant access with get and not fetch, I believe if your user does PiiTest.get(‘the-id’) he will get the data and this is why Test.fetch is returning the field.

Again it’s better to limit data visibility with ACLs rather than limiting the actions.


PiiTest.get() returns “Not Authorized” as expected.

I do have Acls enabled on the type by mixing AclEnabled and my understanding is that the lack of an ACL entry denies read access to the type and therefore running populateAcl() would allow data access which is the opposite of what I’m trying to achieve.


Running populateAcl() would not allow data access as your user will not show up on the acl field of any instance of PiiTest simply because you did not create an AclPrivilege.

Do you have a read method on your Test, because in your Role you’re allowing the user to only call this function (which explains the Not Authorized). Here is a discussion on how to check what permissions a given user has. If you want the user to read, then use actionGroup instead.

I don’t know what the system uses to access but it seems it’s using something else than fetch and get to retrieve the piiData field.