Can the modify rights to "Name" and "Agent Host Name" of a resource be restricted?
Can the modify rights to "Name" and "Agent Host Name" of a resource be restricted?
I am trying to create a sandbox for developers and want to give them as close to full control as possible to their project, artifacts, and resources. the issue I am currently running into is on the resources. If I give them modify rights to the resource, they will have the ability to change the "Name" or "Agent Host Name" to invalid or worse other resource values (production for example).
I would like to restrict the ability on just those two values yet let them have modify to the rest of the resource. Is this possible?
Best Answer
No, ACLs cannot be attached to intrinsic properties (in fact, ACLs cannot be attached to any properties -- that would be way too much overhead to manage). You can only put ACLs on property sheets, and on objects (like the resources) themselves.
The solution is to use a factory procedure - the ACL on the resource grants permissions to the trusted project containing the procedure, and the procedure performs the modification on behalf of the user, after checking the parameters to make sure that they are not attempting to change things in ways they are not permitted to do.
I was afraid the answer is no. Thank you for the workaround though I truly believe it is not an appropriate solution.
Unfortunately this information will force us to evaluate the pros of providing the sandbox versus the cons of the counter-intuitiveness this extra layer would introduce.
I'll enter an enhancement request in the hopes it can be properly addressed in a future release.
