Defining ACLs for a type except for one extension


#1

I have ACLs defined for Organization, but I specifically want to have them disabled for one type that extends Organization. Is this possible?


#2

Can you modify your ACL expression? if so then you can use the typeIdent to condition the application of your ACL:

  • grant everyone with at least DefaultAccessRole to see instances of your target type,
  • otherwise apply the original expression to allow only users with permissions to see instances of other types.

e.g.

    {
      "id": "organization_privileges",
      "name": "Organization AclPriviledge",
      "typeName": "Organization",
      "canUpdate": "true",
      "canRemove": "false",
      "canModifyAcl": "false",
      "acl": {
        "expr": "typeIdent=='<excluded-type-ident>'? DefaultAccessRole : <original-expression>"
      }
    }

Alternatively, you should be able to directly disable ACLs on your type with EnableAclPrivilege, e.g. seed/EnableAclPrivilege/TypeExtendingOrganization_acl_controlled.json

{
    "enabled" : false,
    "id" : "TypeExtendingOrganization_acl_controlled",
    "name" : "TypeExtendingOrganization Acl Controlled",
    "typeName" : "TypeExtendingOrganization"
}

#3

I would suggest a modified version of the above to create a specific AclPrivilege for the type that you don’t want acls on and give access to everyone in that. I would not suggest having an EnableAclPrivilege to turn it off on that type.