ACL & User Criteria - Not Working

Utkarsha
Tera Contributor

Hey Everyone,

I’m working on setting up user criteria and ACLs for knowledge base (KB) articles and need some guidance to ensure proper access control.

My Current Setup:

  • A user criteria is defined at the KB base level.
  • An ACL of type "read" on the kb_knowledge table is also in place.

Requirements:

  1. Security, Privacy, Compliance, and EHS – Articles in these domains should be visible to all internal users.
  2. Global Security:
    • Overview and general policies should be visible to internal users.
    • Other Global Security policies should be visible only to users with Policy Reviewer, Approver, Owner, or Owning Group Member roles.
  3. Public Safety – Articles should be accessible to the sn_public_group.
  4. People+Places, CommOps, and Global Safety – Articles should be visible to internal users.

    Despite the user criteria and ACLs, access isn't working as expected. I’d appreciate any suggestions on refining my approach, whether it’s adjusting user criteria, modifying ACLs, or other best practices.

    Thanks in advance for your help!

 

 

ACL : Defined at kb_knowledge table Type: Read Role: internal
var user_id = gs.getUserID();
var answer = false; // Default to deny access
var isUserInFieldsOrGroups = false; // Track if user matches fields or groups

//gs.info("Evaluating ACL for user ID: " + user_id);

// Define the fields to check for the user ID
var fields = ['u_policy.approvers', 'u_policy.reviewers', 'u_policy.owner'];

// Check if the user is in the specified fields
fields.forEach(function(field) {
    var tableGR = new GlideRecord('kb_knowledge');
    tableGR.addQuery('u_policy.u_domain', 'Global Security');
    tableGR.addQuery('sys_id', current.sys_id);
    tableGR.addQuery(field, 'CONTAINS', user_id);
    tableGR.setLimit(1); // Limit to one result for efficiency
    tableGR.query();

    if (tableGR.hasNext()) {
        //gs.info("User found in field: " + field);
        isUserInFieldsOrGroups = true; // Match found in fields
        answer = true;
    }
});

// If not found in fields, check user's group membership
if (!isUserInFieldsOrGroups) {
    var myGroups = gs.getUser().getMyGroups().toArray().join(',');
    if (myGroups) {
        var groupGR = new GlideRecord('kb_knowledge');
        groupGR.addQuery('u_policy.u_domain', 'Global Security');
        groupGR.addQuery('sys_id', current.sys_id);
        groupGR.addQuery('u_policy.owning_group', 'IN', myGroups); // Check group ownership
        groupGR.setLimit(1); // Limit to one result for efficiency
        groupGR.query();

        if (groupGR.hasNext()) {
            //gs.info("User is part of a valid policy-owning group.");
            isUserInFieldsOrGroups = true; // Match found in groups
            answer = true;
        }
    }
}

// General Policies check (mandatory)
var generalPolicyGR = new GlideRecord('kb_knowledge');
generalPolicyGR.addEncodedQuery('u_policy.u_domain=Global Security^u_policy.u_sub_domain=General Policies');
generalPolicyGR.addQuery('sys_id', current.sys_id);
generalPolicyGR.setLimit(1); // Limit to one result for efficiency
generalPolicyGR.query();

if (generalPolicyGR.hasNext()) {
    //gs.info("General Policies match found.");
    answer = true; // Grant access if General Policies match
}

// Additional Policy checks for other domains
var otherPolicyGR = new GlideRecord('kb_knowledge');
otherPolicyGR.addEncodedQuery('u_policy.u_domain=Information Security^ORu_policy.u_domain=Compliance^ORu_policy.u_domain=Privacy^ORu_policy.u_domain=EHS^ORu_policy.u_domain=CommOps^ORu_policy.u_domain=Global Safety^ORu_policy.u_domain=Employee Relation');
otherPolicyGR.addQuery('sys_id', current.sys_id);
otherPolicyGR.setLimit(1); // Limit to one result for efficiency
otherPolicyGR.query();

if (otherPolicyGR.hasNext()) {
    //gs.info("Other Policies match found.");
    answer = true; // Grant access if user matches any of these domains
}

// Log the final decision
//gs.info("Final access decision: " + answer);


//  Policy checks for Public Safety Domain
var publicSafety = new GlideRecord('kb_knowledge');
publicSafety.addEncodedQuery('u_policy.u_domain=Public Safety');
publicSafety.setLimit(1); // Limit to one result for efficiency
publicSafety.query();
if (publicSafety.hasNext()) {

    if (gs.getUser().isMemberOf('sn-publicgroup')) {
        answer = true;
    } else {
        answer = false;
    }
}
User Criteria at kb base level:

// Get the current user ID

var answer = (function(user_id) {
    var isUserInFieldsOrGroups = false; // Initialize as false

    // Define the fields to check for the user ID
    var fields = ['u_policy.approvers', 'u_policy.reviewers', 'u_policy.owner'];

    // Check if the user ID is in any of the specified fields
    fields.forEach(function(field) {
        var tableGR = new GlideRecord('kb_knowledge');
        tableGR.addQuery('u_policy.u_domain', 'Global Security');
        tableGR.addQuery(field, 'CONTAINS', user_id);
        tableGR.setLimit(1); // Limit to one result for efficiency
        tableGR.query();

        if (tableGR.hasNext()) {

            isUserInFieldsOrGroups = true; // User matches one of the fields
            return true;
        }
    });

    // If not found in fields, check if the user belongs to a valid owning group
    if (!isUserInFieldsOrGroups) {
        var myGroups = gs.getUser().getMyGroups().toArray().join(','); // Fetch user's groups
        if (myGroups) {
            var groupGR = new GlideRecord('kb_knowledge');
            groupGR.addQuery('u_policy.u_domain', 'Global Security');
            groupGR.addQuery('u_policy.owning_group', 'IN', myGroups); // Check user's group membership
            groupGR.setLimit(1); // Limit to one result for efficiency
            groupGR.query();

            if (groupGR.hasNext()) {

                isUserInFieldsOrGroups = true; // User matches a valid owning group
                return true;
            }
        }
    }

    // General Policies check (mandatory)
    var generalPolicyGR = new GlideRecord('kb_knowledge');
    generalPolicyGR.addEncodedQuery('u_policy.u_domain=Global Security^u_policy.u_sub_domain=General Policies');
    generalPolicyGR.setLimit(1); // Limit to one result for efficiency
    generalPolicyGR.query();

    if (generalPolicyGR.hasNext()) {

        if (isUserInFieldsOrGroups || gs.hasRole('snc_internal')) {
            return true; // Grant access if user matches fields/groups and General Policies
        }
    } else {

        return false; // Deny access if no match in General Policies
    }

    // Other Domain Policies check (mandatory)
    var otherPolicyGR = new GlideRecord('kb_knowledge');
    otherPolicyGR.addEncodedQuery('u_policy.u_domain=Information Security^ORu_policy.u_domain=Compliance^ORu_policy.u_domain=Privacy^ORu_policy.u_domain=EHS^ORu_policy.u_domain=CommOps^ORu_policy.u_domain=Global Safety^ORu_policy.u_domain=Employee Relation');
    otherPolicyGR.setLimit(1); // Limit to one result for efficiency
    otherPolicyGR.query();

    if (otherPolicyGR.hasNext()) {

        if (isUserInFieldsOrGroups || gs.hasRole('snc_internal')) {
            return true; // Grant access if user matches fields/groups and Other Policies
        }
    } else {

        return false; // Deny access if no match in Other Policies
    }

    //  Policy checks for Public Safety Domain
    var publicSafety = new GlideRecord('kb_knowledge');
    publicSafety.addEncodedQuery('u_policy.u_domain=Public Safety');
    publicSafety.setLimit(1); // Limit to one result for efficiency
    publicSafety.query();
    if (publicSafety.hasNext()) {

        if (gs.getUser().isMemberOf('sn-publicgroup')) {
            return true;
        } else {
            return false;
        }
    }

})(user_id);

 

 

0 REPLIES 0