For accounts created in Foundry, you will only want the Accounts and Users that are in the hierarchy above it to have permissions to view, edit, or delete the objects and users created by the said account. However, there are situations in when you want an account that is not the hierarchy to also be able to view, edit, or even delete some of the objects to. In this case, you can use ACL's to grant other accounts and users permissions to view these objects and users.
Steps for Configuring an ACL
To add an ACL, go to the 'Manage Sub Accounts' page.
Select the account for which you want to add an ACL by clicking the ‘i’ button on the far right. If you wish to create a new sub-account, step 3 will cover this.
Click the 'New Sub Account' button. Fill in all the required fields and click the 'Create' button. Then you will be transferred to the 'Edit Sub Account' page for this account.
Here is the 'Edit Sub Account' page. On the right side, there is a panel for adding and editing ACLs.
If you do not add an ACL to account, all users of accounts that are in the hierarchy above this account, including users of this account, will be able to access this account.
The picture below demonstrates which accounts can access ‘Test Account 2’ if no ACL is added.
To add an ACL, click the 'Add new' button. Next, you can see the form for adding the ACL.
Consider each field in the form:
Grantee Account - The account receiving permissions. You can select from all accounts that are lower in the hierarchy.
Grantee User - User receiving permissions. You can select from users of accounts lower in the hierarchy.
Permissions to Objects - Actions (read, write or delete) that we can do with the objects of the account for which you configure the ACL. Select the check boxes that you need.
Permissions to User - Actions (read, write or delete) that we can do with the users of the account for which you configure the ACL. Select the check boxes that you need.
Add an ACL with the following parameters(See screenshot below). When finished, click the 'Save' button.
By creating this ACL you have just given all users of the 'TestAcount' account permissions to the 'Test Account 2' account. All users with permissions can now perform any actions with the objects of this account and can see the list of users of this account.
The new ACL has been added to the list.
If you want to remove the ACL, click the 'X' icon.
Next, in the pop-up window, click the 'Yes' button to confirm.
To see the users for whom this account is available you can go to the page 'Manage Users' and select the account that you specified as a 'Grantee Account' in step 5 - ‘TestAccount’.
To add an ACL for a specific user go back to the Edit Sub Account page and click on the ACL rule you want to update. When finished, click the 'Save' button.
Now the user 'Tyler Griffith' can see the 'Test Account 2' account in the list of available accounts.
If you logout and login as one of the users of the 'TestAccount' account, you will now be able to see the 'Test Account 2' account in the list of available accounts because the newly added ACL gives those permissions.
Because for users of 'Test Account' account we set the permissions to read-only, when we try to do something (delete or edit), we get an error - 'Access denied'. The screenshot below is an example - an attempt to deactivate a user that is in your account 'Svetlana1'. As a result of clicking on the button 'Deactivate' we can see the error message.