The ACL above is on the 'incident' table. A user with role 'itil' tries to update an incident record. What will happen?
The condition requires incident_manager role, which the user does not have.
Why this answer
The ACL (Access Control Rule) on the 'incident' table has a condition that must evaluate to true for the user to be granted access. In this case, the condition fails for a user with role 'itil' attempting to update the record, so the script does not set answer = true, resulting in a denial of the operation. Option D is correct because the condition failing means the ACL denies the write operation.
Exam trap
The trap here is that candidates often assume that having a role like 'itil' automatically grants update access, but ACLs require both the role and the condition to be satisfied, and a failing condition overrides the role-based permission.
How to eliminate wrong answers
Option A is wrong because ACLs do not prompt for credentials; they either allow or deny access based on conditions and roles, and credential prompts are handled by authentication mechanisms, not ACLs. Option B is wrong because conditions are not ignored for write operations; ACLs evaluate conditions for all operations (read, write, create, delete) unless specifically configured otherwise. Option C is wrong because the script only sets answer = true if the condition passes; since the condition fails, the script does not execute the line that sets answer = true, so the user is denied.