Ability to see all users in the sys_user reference field irrespective of the domains

balakumar1 · ‎11-13-2014

Hi,

As per the default implementation, users in domain A can't see users in domain B if B is above A in hierarchy, or B is not in the hierarchy of A at all.

We would like users in domain A to see users in domain B in a sys_user reference field.

Is that possible? I feel that this could be a generic requirement across all users of ServiceNow. Wondering if there is already a solution for this.

Maintaining a second sys_user table is an option. But that seems to me like a complex option because the sys_id in the sys_user and sys_user1 table should remain same because in lot of scripts, many parts depend on sys_id. For eg. if(current.assigned_to == gs.getUserID()) {.... }

This will fail if the new sys_user1 table has a different sys_id for the user.

Any help please.

Regards,

Bala

alexander_kubra · ‎12-30-2014

Hi Bala,

I'd suggest adding the global_visibility=true attribute to the sys_user table - it will simply disable domain separation for that table. Basically it will allow you to keep the table sort of domain separated (as the sys_domain column still remains there) but you'll have to write your own ACLs or query Business Rules in order to get the needed "level of separation".

Hope it helps.

Alexander

View solution in original post

Michael Fry1 · ‎11-13-2014

You should be able to use a Query business rule.

balakumar1 · ‎11-14-2014

Hi Michael,

That's good idea. I tried it, but it isn't working. But if I copy and paste the script in the Query BR in Scripts Background and run it, it works. So, I'm sure the script works. It doesn't work only when it's in Query BR. Could you please help. Below is the script in my Query BR

var domain = new GlideRecord('some_table');

domain.addQuery('sys_id', 'sys_id_of_the_record_whose_domain_is_topdomain');

domain.queryNoDomain();

if(domain.next()) {

current.addDomainQuery(domain); // this adds topdomain, so the query should return all users

}

Michael Fry1 · ‎11-14-2014

Our SN instance was installed in 2009, so we use impersonate to see other domains from lower domains. Not sure if this will work for you, but here is the details.

Our Query business rule with condition: gs.getUser().domain != 'c90a2b444a3623120064ed56263be407' [checks to see if the user's domain is the top level]

Our Script looks like this:

// IMPERSONATE (SO WE CAN SEE USERS IN OTHER DOMAINS)

var sidUser = gs.getUserID();

var objSession = gs.getSession();

//impersonate system admin

objSession.impersonate('6816f79cc0a8016401c5a33be04be441');

//set to highest domain so you can see all Users

current.gs.getUser().sys_domain = 'c90a2b444a3623120064ed56263be407';

// UN-IMPERSONATE

objSession.impersonate(sidUser);

Maybe this will work for you?

balakumar1 · ‎11-17-2014

Hi Michael,

Thanks for your response. I have some questions.

1. If you impersonate admin and set the domain of the logged-in user to top domain, aren't you changing his domain forever?

2. This line of code doesn't seem to be using correct syntax

current.gs.getUser().sys_domain = 'c90a2b444a3623120064ed56263be407';

Leaving out current, it would look like gs.getUser().sys_domain = 'c90a2b444a3623120064ed56263be407';

Are you sure it would set the domain of logged-in user?

Thanks in advance for your help.

Michael Fry1 · ‎11-17-2014

1 - I don't believe so since it's in a query business rule on the sys_user table. We use this and have no problems.

2 - agree it does look strange but it seems to work. Maybe there is a better way to do it, but haven't looked at it.

For the users that use this, it works nicely with no problem. You might have to tweak it for your case.

Thanks