ACL Challenge. A Field read by user's manger, and manger of the user's manager and on

Go to solution
SamuelTse
Tera Guru

‎05-29-2017 07:43 AM

Hi,

I have a requirement to create an ACL on a field (new custom field) in the Users table. This field can only be viewed by the manger of the user, also, the manager of the manger, and keep rolling up until someone has no manager in their user profile. i.e. the field in the user table can be seen from my direct supervisor all the way to the president of the company, but not the mangers in other departments.

I created a script in ACL to loop through the reporting structure in the organization, It works but I find it to be extremely slow when I need to load the user record. I wonder if there is a more efficient way to handle this.

I hope this makes sense.

Thanks,

Sam

0 Helpfuls
  • 1,957 Views
1 ACCEPTED SOLUTION

Go to solution
Chris M3
Tera Guru
In response to SamuelTse

‎05-30-2017 09:16 AM

pseudo code, I'm not sure if the performance will improve much though.



var user = current;


while (user.manager != null) {


    if (gs.getUserID == user.manager)


            return true;


      user = user.manager;


}


return false;


View solution in original post

0 Helpfuls
16 REPLIES 16

Go to solution
SamuelTse
Tera Guru
In response to Chris M3

‎06-01-2017 07:53 AM

Hi Chris,



I chose to use your script for now. It doesn't seem to add too much overhead at this point when loading the user record and it does what I want. I will look into that cache option. For now, your solution works.



vinothkumar basically pointed out the similar thing with dot walking. Credit to him as well.



Thanks everyone.



Sam


0 Helpfuls

Go to solution
vinothkumar
Tera Guru
In response to SamuelTse

‎05-30-2017 10:02 AM

Hi Sam,



I tried for another two level from super senior manager in my background script and so far it is working fine.


0 Helpfuls

Go to solution
abhishekdash
ServiceNow Employee
ServiceNow Employee

‎05-29-2017 11:28 AM

Hi Samuel,



I would agree with Harish over here.


The best solution would be to create a manager role based on the different department you have.



Then have ACL to check the access to field based on the role.


The script that you have currently will result in slow performance.



Thanks,


Abhishek


0 Helpfuls

Go to solution
SamuelTse
Tera Guru
In response to abhishekdash

‎05-29-2017 11:47 AM

I am not sure if I am missing anything but I don't see how creating a role will work. Let's say I will going with your suggestion. I created a HolidayManager role and I created an ACL to allow manage role to see the custom field(Holiday, for example). I added my supervisor Bob to it. Now Bob can see my Holiday. He can also see other users' holiday too? No? This is not what we want. Or you are suggesting I should create a role based on each department? I work for a college, we are talking about 100+ departments. Do I have to create 100 roles? and 100 ACLs? Don't get me wrong. I totally understand my code is not efficient and I experienced it first hand :). That's the reason why I am here to look for alternatives. I would like to hear more with that suggestion. Please advise. Sam


0 Helpfuls

Go to solution
abhishekdash
ServiceNow Employee
ServiceNow Employee
In response to SamuelTse

‎05-29-2017 12:25 PM

Hey Sam,



Thanks for the response.


In case you have so many departments then the solution will not be feasible.



Let me think of any other alternatives. Will provide you updates on the same.



Thanks,


Abhishek


0 Helpfuls