ACL Challenge. A Field read by user's manger, and manger of the user's manager and on

SamuelTse · ‎05-29-2017

Hi,

I have a requirement to create an ACL on a field (new custom field) in the Users table. This field can only be viewed by the manger of the user, also, the manager of the manger, and keep rolling up until someone has no manager in their user profile. i.e. the field in the user table can be seen from my direct supervisor all the way to the president of the company, but not the mangers in other departments.

I created a script in ACL to loop through the reporting structure in the organization, It works but I find it to be extremely slow when I need to load the user record. I wonder if there is a more efficient way to handle this.

I hope this makes sense.

Thanks,

Sam

Chris M3 · ‎05-30-2017

pseudo code, I'm not sure if the performance will improve much though.

var user = current;

while (user.manager != null) {

if (gs.getUserID == user.manager)

return true;

user = user.manager;

}

return false;

View solution in original post

vinothkumar · ‎05-30-2017

Hi Samuel,

Can you try something similar as below, however it won't check for all the level till the manager is empty, if needed you can dot walk for another two level also.

var userId = gs.getUserID();

var manager = current.manager;

var answer = false;

if(checkManager() == true || checkManagerHierrarchy() == true)

{

answer = true;

}

function checkManager()

{

if(manager == userId){

return true;

}

else return false;

}

function checkManagerHierrarchy()

{

var gr = new GlideRecord('sys_user');

gr.get(manager);

manager = gr.manager;

var senior_manager = gr.manager.manger;

var super_senior_manager = gr.manager.manger.manager;

if(userId == manager|| userId == senior_manager || userId == super_senior_manager)

{

return true;

}

else return false;

}

SamuelTse · ‎05-30-2017

Hi Vinoh,

Thanks for the advice. I thought about using dat walk as well. How many level can I drill down (up?). Is super_senior_manager is as far as I can dot walk to?

I am thinking to extend your script further if I really need to look for the empty Manager field. I guess I can query the user table using the super_senior_manager if checkManagerHierrarchy() return false for the first time, until I get to the manager field is empty. I think I shouldn't have to go more than 6-7 level so running checkManagerHierrarchy() one more time using super_senior_manager is manageable.

I will test out this theory and see if it works. Will post the script in a bit.

Thanks,

Sam

Chris M3 · ‎05-30-2017

pseudo code, I'm not sure if the performance will improve much though.

var user = current;

while (user.manager != null) {

if (gs.getUserID == user.manager)

return true;

user = user.manager;

}

return false;

SamuelTse · ‎05-30-2017

Hi Chris,

My original script is very similar to yours and I ran into some performance issue. I think there are some interesting suggestions in this thread. I will explore each and post back the result

Sam

Chris M3 · ‎05-30-2017

Yeah, the one thing you're doing differently is instantiating a new GlideRecord object.

I have a script doing something similar (climbing the management chain), and it's not the speediest. The only other improvement you can do is cache it for the user (On login, navigate the chain down to get the list of users, store it in a session variable)