All ACL scopes provide the option to apply additional logic using JavaScript by enabling the “Use extra condition script” setting.
This mechanism allows you to refine access rights beyond the standard scope, items, and rights configuration.
Purpose of the extra condition script
The extra condition script is evaluated at runtime and determines whether the ACL rule applies in a specific context.
It enables advanced, dynamic permission logic based on:
Values of other parts (fields)
Object metadata (such as phase or state)
User-related context
Relationships or document properties
Custom business rules that cannot be expressed with static ACL configuration
How it works
When Use extra condition script = No
The ACL is applied purely based on scope, items, rights, and Personas.
When Use extra condition script = Yes
The ACL is only applied if also the JavaScript expression evaluates to true.
If the script returns false, the ACL rule is ignored for that situation.
Script behavior
The script must return a boolean value (true or false).
JavaScript can reference parts, values, and system information using the available replace tokens (for example #REPLACE-PARTVALUE-…#).
The script does not replace the ACL configuration, but adds an extra conditional layer on top of it.
Typical use cases
Examples of when to use an extra condition script:
Grant edit rights only when the object is in a specific phase
Restrict access to documents based on a selected category
Allow certain Personas to act only if another field has a specific value
Apply different permissions depending on related object data
Important notes
⚠️ Best practice
Use JavaScript conditions only when standard ACL configuration is insufficient.
Overusing scripts can make access rules harder to understand and maintain.
⚠️ Debugging
Incorrect or incomplete scripts may result in unexpected access behavior. Always test ACLs thoroughly after adding or changing JavaScript conditions.
