Hi all, a tine security rule nut for a Friday afternoon 🙂
My aim is to limit read access to Comunity sheets, to certain groups.
I have been able to restrict the ability to create and publish Community sheets to only the custom Role = 'Editor':
- Disable the default rule: CreateAppObjectsPublishedApp
- Create rule:
- Resource filter: App.Object_*
- Actions: Create
- Conditions:
!resource.App.stream.Empty() and
resource.App.HasPrivilege("read") and
(resource.objectType = "userstate" or resource.objectType = "sheet") and
user.roles = "Editor"
(Not sure what the objectType "userState" is, but left that in from the CreateAppObjectsPublishedApp rule.)
This works. Only Editors get the 'Edit' button, and they can create and publish Community sheets.
Now the part I need some guidance
Lets assume 4 users:
- Alice - Group A - Editor
- Allan - Group A - Normal user
- Betty - Group B - Editor
- Bob - Group B - Normal user
Alice and Betty can create Comunity sheets, but neither Allan og Bob can. (This works at the moment.)
But currently, both Allan and Bob can the the Community sheets that Alice created.
My aim is that only Allan can see the the Commmunity sheet that Alice created. And only Bob can see the sheet that Betty created.
My plan
The way I see it, the first step is to:
A) Find what default rule allows the users to Read Community sheets, and disable that.
B) Create a new rule that takes into account the Group of the user and the owner.
Does anyone have any suggestion to this?
Thanks a lot in advance. Any tips and partial solutions are welcome. 🙂
Cheers,
Vegard
