A company wants to allow managers to view all incidents, but only their own direct reports' incidents to be editable. Which ACL approach is most efficient?
A script condition dynamically checks the relationship, making it scalable.
Why this answer
Option A is correct because it uses a read ACL to grant all managers view access to all incidents, and a separate write ACL with a script condition that dynamically checks whether the incident's assigned user is a direct report of the current manager. This approach is efficient as it avoids duplicating ACLs per manager or per group, leveraging a single script condition to enforce the manager–direct report relationship at runtime.
Exam trap
The trap here is that candidates often overcomplicate the solution by thinking they need separate ACLs or roles per manager, when a single scripted ACL condition can dynamically evaluate the manager–direct report relationship at runtime, which is both efficient and scalable.
How to eliminate wrong answers
Option B is wrong because using a business rule to set a field indicating editability and then an ACL on that field adds unnecessary complexity and latency; the ACL script condition can directly evaluate the relationship without needing an extra field or business rule. Option C is wrong because creating a separate role for each manager is not scalable and violates role-based access control best practices; roles should represent job functions, not individual users. Option D is wrong because creating separate write ACLs for each manager's direct reports is administratively unsustainable and does not scale as the number of managers or direct reports changes; a single scripted ACL is far more efficient.