How the ACL Admin Overrides option works
Description
When creating or modifying an ACL, one of the fields available is called Admin Overrides. This field sometimes can cause confusion because unchecking it and adding a role are not enough to prevent Admin users from accessing specific data.
This option permits users with the admin role to automatically pass the permissions check for this ACL rule regardless of what script or role restrictions apply. However, the nobody role takes precedence over the Admin Overrides option. If an ACL is assigned the nobody role, admin users cannot access the resource even when the Admin Overrides option is selected.If administrators must meet the permissions defined in this ACL rule to gain access to the secured object, uncheck this checkbox. Because administrators always pass role checks, use the condition builder or Script field to create a permissions check that administrators must pass.
This means that merely unchecking the Admin Override checkbox and adding a role are not enough to block Admin users from gaining access.
Solution
Add a condition in the condition builder or check the Advanced option and add a script that prevents the Admin user from gaining access.
For example, to prevent Admin users from accessing Table A:
- Create a read ACL.
- Uncheck the Admin Overrides option.
- (Optional) Add a role.
- Add a condition and/or a script and check the Advanced checkbox.
Example of a simple script:
var answer = true;
if (gs.getUser().hasRole('admin'))
{
answer = false;
}
Applicable Versions
All versions