ACL & User Criteria - Not Working
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2025 08:52 AM - edited 03-12-2025 08:53 AM
Hey Everyone,
I’m working on setting up user criteria and ACLs for knowledge base (KB) articles and need some guidance to ensure proper access control.
My Current Setup:
- A user criteria is defined at the KB base level.
- An ACL of type "read" on the kb_knowledge table is also in place.
Requirements:
- Security, Privacy, Compliance, and EHS – Articles in these domains should be visible to all internal users.
- Global Security:
- Overview and general policies should be visible to internal users.
- Other Global Security policies should be visible only to users with Policy Reviewer, Approver, Owner, or Owning Group Member roles.
- Public Safety – Articles should be accessible to the sn_public_group.
- People+Places, CommOps, and Global Safety – Articles should be visible to internal users.
Despite the user criteria and ACLs, access isn't working as expected. I’d appreciate any suggestions on refining my approach, whether it’s adjusting user criteria, modifying ACLs, or other best practices.
Thanks in advance for your help!
ACL : Defined at kb_knowledge table Type: Read Role: internal
var user_id = gs.getUserID();
var answer = false; // Default to deny access
var isUserInFieldsOrGroups = false; // Track if user matches fields or groups
//gs.info("Evaluating ACL for user ID: " + user_id);
// Define the fields to check for the user ID
var fields = ['u_policy.approvers', 'u_policy.reviewers', 'u_policy.owner'];
// Check if the user is in the specified fields
fields.forEach(function(field) {
var tableGR = new GlideRecord('kb_knowledge');
tableGR.addQuery('u_policy.u_domain', 'Global Security');
tableGR.addQuery('sys_id', current.sys_id);
tableGR.addQuery(field, 'CONTAINS', user_id);
tableGR.setLimit(1); // Limit to one result for efficiency
tableGR.query();
if (tableGR.hasNext()) {
//gs.info("User found in field: " + field);
isUserInFieldsOrGroups = true; // Match found in fields
answer = true;
}
});
// If not found in fields, check user's group membership
if (!isUserInFieldsOrGroups) {
var myGroups = gs.getUser().getMyGroups().toArray().join(',');
if (myGroups) {
var groupGR = new GlideRecord('kb_knowledge');
groupGR.addQuery('u_policy.u_domain', 'Global Security');
groupGR.addQuery('sys_id', current.sys_id);
groupGR.addQuery('u_policy.owning_group', 'IN', myGroups); // Check group ownership
groupGR.setLimit(1); // Limit to one result for efficiency
groupGR.query();
if (groupGR.hasNext()) {
//gs.info("User is part of a valid policy-owning group.");
isUserInFieldsOrGroups = true; // Match found in groups
answer = true;
}
}
}
// General Policies check (mandatory)
var generalPolicyGR = new GlideRecord('kb_knowledge');
generalPolicyGR.addEncodedQuery('u_policy.u_domain=Global Security^u_policy.u_sub_domain=General Policies');
generalPolicyGR.addQuery('sys_id', current.sys_id);
generalPolicyGR.setLimit(1); // Limit to one result for efficiency
generalPolicyGR.query();
if (generalPolicyGR.hasNext()) {
//gs.info("General Policies match found.");
answer = true; // Grant access if General Policies match
}
// Additional Policy checks for other domains
var otherPolicyGR = new GlideRecord('kb_knowledge');
otherPolicyGR.addEncodedQuery('u_policy.u_domain=Information Security^ORu_policy.u_domain=Compliance^ORu_policy.u_domain=Privacy^ORu_policy.u_domain=EHS^ORu_policy.u_domain=CommOps^ORu_policy.u_domain=Global Safety^ORu_policy.u_domain=Employee Relation');
otherPolicyGR.addQuery('sys_id', current.sys_id);
otherPolicyGR.setLimit(1); // Limit to one result for efficiency
otherPolicyGR.query();
if (otherPolicyGR.hasNext()) {
//gs.info("Other Policies match found.");
answer = true; // Grant access if user matches any of these domains
}
// Log the final decision
//gs.info("Final access decision: " + answer);
// Policy checks for Public Safety Domain
var publicSafety = new GlideRecord('kb_knowledge');
publicSafety.addEncodedQuery('u_policy.u_domain=Public Safety');
publicSafety.setLimit(1); // Limit to one result for efficiency
publicSafety.query();
if (publicSafety.hasNext()) {
if (gs.getUser().isMemberOf('sn-publicgroup')) {
answer = true;
} else {
answer = false;
}
}
User Criteria at kb base level:
// Get the current user ID
var answer = (function(user_id) {
var isUserInFieldsOrGroups = false; // Initialize as false
// Define the fields to check for the user ID
var fields = ['u_policy.approvers', 'u_policy.reviewers', 'u_policy.owner'];
// Check if the user ID is in any of the specified fields
fields.forEach(function(field) {
var tableGR = new GlideRecord('kb_knowledge');
tableGR.addQuery('u_policy.u_domain', 'Global Security');
tableGR.addQuery(field, 'CONTAINS', user_id);
tableGR.setLimit(1); // Limit to one result for efficiency
tableGR.query();
if (tableGR.hasNext()) {
isUserInFieldsOrGroups = true; // User matches one of the fields
return true;
}
});
// If not found in fields, check if the user belongs to a valid owning group
if (!isUserInFieldsOrGroups) {
var myGroups = gs.getUser().getMyGroups().toArray().join(','); // Fetch user's groups
if (myGroups) {
var groupGR = new GlideRecord('kb_knowledge');
groupGR.addQuery('u_policy.u_domain', 'Global Security');
groupGR.addQuery('u_policy.owning_group', 'IN', myGroups); // Check user's group membership
groupGR.setLimit(1); // Limit to one result for efficiency
groupGR.query();
if (groupGR.hasNext()) {
isUserInFieldsOrGroups = true; // User matches a valid owning group
return true;
}
}
}
// General Policies check (mandatory)
var generalPolicyGR = new GlideRecord('kb_knowledge');
generalPolicyGR.addEncodedQuery('u_policy.u_domain=Global Security^u_policy.u_sub_domain=General Policies');
generalPolicyGR.setLimit(1); // Limit to one result for efficiency
generalPolicyGR.query();
if (generalPolicyGR.hasNext()) {
if (isUserInFieldsOrGroups || gs.hasRole('snc_internal')) {
return true; // Grant access if user matches fields/groups and General Policies
}
} else {
return false; // Deny access if no match in General Policies
}
// Other Domain Policies check (mandatory)
var otherPolicyGR = new GlideRecord('kb_knowledge');
otherPolicyGR.addEncodedQuery('u_policy.u_domain=Information Security^ORu_policy.u_domain=Compliance^ORu_policy.u_domain=Privacy^ORu_policy.u_domain=EHS^ORu_policy.u_domain=CommOps^ORu_policy.u_domain=Global Safety^ORu_policy.u_domain=Employee Relation');
otherPolicyGR.setLimit(1); // Limit to one result for efficiency
otherPolicyGR.query();
if (otherPolicyGR.hasNext()) {
if (isUserInFieldsOrGroups || gs.hasRole('snc_internal')) {
return true; // Grant access if user matches fields/groups and Other Policies
}
} else {
return false; // Deny access if no match in Other Policies
}
// Policy checks for Public Safety Domain
var publicSafety = new GlideRecord('kb_knowledge');
publicSafety.addEncodedQuery('u_policy.u_domain=Public Safety');
publicSafety.setLimit(1); // Limit to one result for efficiency
publicSafety.query();
if (publicSafety.hasNext()) {
if (gs.getUser().isMemberOf('sn-publicgroup')) {
return true;
} else {
return false;
}
}
})(user_id);
0 REPLIES 0