How to apply ACL script to List Mechanic to hide columns (tested in Eureka)

perfectglitch
Kilo Contributor

on ‎08-26-2015 09:48 AM

Hi,

Recently we had to solve a situation where certain users weren't supposed to see columns in lists based on their company.

Problem: ServiceNow add_to_list ACL operation does not support ACL scripts.

Reason: Security checks initiated in ListMechanic Script Include bypass ACL script(only roles requirements are checked).

Solution:

  1. Disable UI Policy hiding the script field in ACL. Name of UI Policy is "Hide Condition and Script for add_to_list ACL".
  2. Modify ListMechanic Script Include method applyRules:

applyRules: function(cls, tableName) {


   var avail = cls.getColumns();


   var sm = GlideSecurityManager.get();


   var grs = new GlideRecordSecure(tableName);


   grs.query();


   grs.next();


   for (var i = 0; i < avail.getSize();) {


       var c = avail.getChoice(i);


       var name = c.getValue();


       var url = "record/" + tableName + '.' + name + "/add_to_list";


       //var canAdd = sm.hasRightsTo(url, null);


       var canAdd = sm.hasRightsTo(url, grs);


       if (canAdd){


           i++;


           continue;


       }


       avail.remove(i);


   }


},

Aknowledgements:

  1. Maybe there's a better way to initialize the GlideRecordSecure object without actually having to perform query.
  2. I don't know how these modifications will affect our next upgrade.

Cheers,

Stas

0 Helpfuls
  • 2,425 Views
Version history
Last update:
‎08-26-2015 09:48 AM
Updated by: