User acess rights using MemberOfGroups in hybris

Question

I have custome item type "Appeasement" , which contains attribute "appeasementStatus" of enum type "AppeasementStatusType" .

For customersupportagentgroup we dont have write access to item type "Appeasement" but I want to provide write access to attribute "appeasementStatus". I create below impex but this is not working as excepted. Is any think missing?

enter code here
$START_USERRIGHTS;;;;;;;;;
Type;UID;MemberOfGroups;Password;Target;read;change;create;remove;change_perm
UserGroup;customersupportagentgroup;;;;;;;;
;;;;Appeasement;+;-;-;-;-
;;;;AppeasementStatusType;+;+;+;+;-
;;;;Appeasement.appeasementStatus;+;+;-;-;-
$END_USERRIGHTS;;;;;;;;;

Answer 1

What you are trying to do is not possible this way. Check the following section from https://help.sap.com/viewer/d0224eca81e249cb821f2cdf45a82ace/1905/en-US/8b4aa00e866910148df2920f69d68b27.html

Attribute Permissions

Using attribute permissions allows you to explicitly assign permission to selected attributes of a certain type. Attribute-related permissions don't override type-related permissions. For example, if the type permission for a type is set to deny: <Change>, you cannot grant permission: <Change> to any of the attributes of that type. You can, however, set the type permission for that type to permission: <Change>, and then decide which of the attribute-related permissions you want to set to permission: <Change>, and which to deny: <Change>.

As a summary, the type-level permissions can not be overridden to make less strict at attribute-level.

The workaround is the other way round i.e.

1. Grant <write> access to customersupportagentgroup for the itemtype, Appeasement.
2. Deny <write> access to customersupportagentgroup for all the attributes, except appeasementStatus.