Find your people. Pick a challenge. Ship something real. The CreatorCon Hackathon is coming to the Community Pavilion for one epic night. Every skill level, every role welcome. Join us on May 5th and learn more here.

How to apply ACL script to List Mechanic to hide columns (tested in Eureka)

perfectglitch
Kilo Contributor

on ‎08-26-2015 09:48 AM

Hi,

Recently we had to solve a situation where certain users weren't supposed to see columns in lists based on their company.

Problem: ServiceNow add_to_list ACL operation does not support ACL scripts.

Reason: Security checks initiated in ListMechanic Script Include bypass ACL script(only roles requirements are checked).

Solution:

  1. Disable UI Policy hiding the script field in ACL. Name of UI Policy is "Hide Condition and Script for add_to_list ACL".
  2. Modify ListMechanic Script Include method applyRules:

applyRules: function(cls, tableName) {


   var avail = cls.getColumns();


   var sm = GlideSecurityManager.get();


   var grs = new GlideRecordSecure(tableName);


   grs.query();


   grs.next();


   for (var i = 0; i < avail.getSize();) {


       var c = avail.getChoice(i);


       var name = c.getValue();


       var url = "record/" + tableName + '.' + name + "/add_to_list";


       //var canAdd = sm.hasRightsTo(url, null);


       var canAdd = sm.hasRightsTo(url, grs);


       if (canAdd){


           i++;


           continue;


       }


       avail.remove(i);


   }


},

Aknowledgements:

  1. Maybe there's a better way to initialize the GlideRecordSecure object without actually having to perform query.
  2. I don't know how these modifications will affect our next upgrade.

Cheers,

Stas

0 Helpfuls
  • 2,605 Views
Version history
Last update:
‎08-26-2015 09:48 AM
Updated by: