- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-29-2017 07:43 AM
Hi,
I have a requirement to create an ACL on a field (new custom field) in the Users table. This field can only be viewed by the manger of the user, also, the manager of the manger, and keep rolling up until someone has no manager in their user profile. i.e. the field in the user table can be seen from my direct supervisor all the way to the president of the company, but not the mangers in other departments.
I created a script in ACL to loop through the reporting structure in the organization, It works but I find it to be extremely slow when I need to load the user record. I wonder if there is a more efficient way to handle this.
I hope this makes sense.
Thanks,
Sam
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-30-2017 09:16 AM
pseudo code, I'm not sure if the performance will improve much though.
var user = current;
while (user.manager != null) {
if (gs.getUserID == user.manager)
return true;
user = user.manager;
}
return false;
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-29-2017 08:12 AM
Hi Samuel,
I suggest create new group and new role.
now create new ACL and assign this to the role and assign it to group.
Now add the list of users who should be able to access to this field.
this is better option than querying all the users in the USER table.
There might be some thousands of users in user table when ACL script run and it will definitely slow down the instance and impacts the performance.
add condition to this like !gs.hasRole("itil").
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-29-2017 08:36 AM
Hi Harish,
I am afraid the solution won't be as simple. The list of users who can see this field is depends on the user's reporting structure, it is dynamic so to speak. My supervisor can see the field in my record but not the other departments' user records.
Sam
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-29-2017 08:39 AM
Hi Samuel,
In my opinion, it is not the best practice to check for the hierarchy until the manager is empty. You can check if the logged in user is a manager or manager's manager or one more level and evaluate the ACL to return True by doing a simple glidequery. Can you provide the screen shot of your ACL script
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-29-2017 08:55 AM
Hi Vinoth,
I created a script include for this check function in ACL, I have other logic in there too but here is the snippet of it:
canread: function(){
//Assume the current table to sys_user
var userId = gs.getUserID();
var manager = current.manager;
var c = 0; //just to be safe so it doesn't run into infinite loop
do{
if(manager == ""){
return false;
}
if(manager == userId){
return true;
}
else
{
var gr = new GlideRecord('sys_user');
gr.get(manager);
manager = gr.manager;
}
c++;
}while(c<10);
}
This runs fine but it is really slow. I need a way to optimize this.
Sam
