OK, this is going to get a little detailed (but I hope it will make sense if you follow my logic!). And if you don't want to follow my logic, skip to the end of the post! B)
As mentioned above, the NSQL construct;
AND @WHERE:SECURITY:RESOURCE:RESOURCE_ID@
will implement the "where the executing user has some rights over the RESOURCE_ID resource"...
..if you "Preview" any NSQL containing that construct you will see that it actually turns into some simple SQL that validates the access rights against a VIEW on the database;
AND RESOURCE_ID in (select object_instance_id from odfsec_resource_v2 where user_id = [color=#FF0000]<<user id of the executing user>>[/color])
If we look at the definition of that view in the database we see it is defined as;
select user_id, object_instance_id from cmn_sec_chk_user_v0 where object_id=664 and permission_code='ResourceView';
And now look at the definition of that second view [font=Courier New]cmn_sec_chk_user_v0[font] we can see that it contains the user_id (the executing user) and object_instance_id (the resource id) that the NSQL construct is ultimately using, but this view ALSO contains the name of the type of access (in the Permission_Code column) that the user_id has over the object_instance_id.
So we can exploit that by picking out the specific Permission_Code that we are interested in! :grin:
--
The answer then;
Just include the following code in your NSQL instead of that original construct;
AND RESOURCE_ID in
(select object_instance_id from cmn_sec_chk_user_v0
where user_id = @WHERE:PARAM:USER_ID@
and object_id = 664
and permission_code in ('prTimeEntry','prApproveActuals','TimeSheetAccess')
)
(RESOURCE_ID being whatever you call the column in
your code, the @WHERE:PARAM:USER_ID@ is just picking up the id of the 'executing user' and the list of permission_code values is just my [color=#FD0303]
guess[color] at what you mean by your somewhat vague statement "
timesheets they have rights to" - you need to check those rights and ensure they are the correct ones for
your functional case)
...
So thats really what I meant when I said "you'll need to be "coding" that explictly" :vader: