How to configure Group Members (sys_user_grmember) edit capability, so that only the Group Manager is able to Edit the Groups so as to Add/Remove members from Group

Issue

This article demonstrates how to configure Group Members (sys_user_grmember) edit capability, so that only the Group Manager is able to edit (as in add/remove) members from the group.

Release

All releases

Resolution

Please keep in mind that this article falls beyond the scope of support as it is a customized implementation. Below are just suggestions for reference which we have provided here to help solve similar issues.

Create (or modify) the three record ACLs for table sys_user_grmember as per below:

1.1 Configure a READ ACL for sys_user_grmember table
1.2 Configure a WRITE ACL for sys_user_grmember table
1.3 Configure a DELETE ACL for sys_user_grmember

2. All above ACLs can have the same script code as per below:

var answer = false;
if( (gs.hasRole('user_admin')) || (current.group.manager == gs.getUserID() ) )
{ answer = true; }

3. Configure a CREATE ACL for sys_user_grmember, since adding group member involves the many to many relationship on the saved record when using slushbucket.

Below is the code suggestion to make the CREATE ACL work:

var answer = validate();
function validate(){
 if( gs.hasRole('user_admin') ) {
  return true;
 }
else{
  var manager = current.group.manager;
  if(manager !='' && manager == gs.getUserID())
  { //check in current relationship
    return true;
  }
  else { //check in parent relationship
    var parentManager = parent.manager;
    var parentName = parent.name;
    if(parentManager == gs.getUserID() )
    {
      return true;
    }
  }
 }
}