ACL execution, check for no matching Role in Script

Meloper
Kilo Sage

‎02-19-2024 01:45 AM

Hi,

an ACL need to Pass all three (role/condition/Script) if not empty.

I have the requirement that the user should either have role X or be a member of a group on the record.

If I now mention the roles in the empedded list and the user is not a member of these roles because he is "ONLY" a member of the group, the ACL would block according to this screen below.

 

But I don't want to mention all roles in the script like here.

 

 

gs.getUser().hasRole('name1') || gs.getUser().hasRole('name2') || gs.getUser().isMemberOf(current.u_group) || gs.getUser().hasRole('name3');

 

Is there a function/method for the ACL script that checks.


If you don't have any of these roles above, but this script evaluates to true, you can still get in

or does the NO turn go directly to blocked?

 

😄

 

gs.getUser().nomatchingaclrole(:D) || gs.getUser().isMemberOf(current.u_group)

 

 

Meloper_0-1708335822883.png

 

0 Helpfuls
  • 1,066 Views
5 REPLIES 5

Mark Manders
Mega Patron
In response to Meloper

‎02-19-2024 11:33 PM

If you want to make it hard on yourself, you can use a script like this, but you will need to call all of the roles and groups in the script (there isn't another way). You just can't call the roles or conditions from the script, simply because even if possible, that would never work: all 3 need to be true,  the group member without one of the roles, would still need the role.

 

But just don't use the script. Be practical. Use 2 ACL's and keep your instance maintainable.

 

var userHasRole = gs.getUser().hasRole('abc') || gs.getUser().hasRole('xyz');
if (userHasRole) {
    return true; // User has one of the required roles
}

// Get the sys_id of the group mentioned in the 'assignment_group' field
var assignmentGroup = current.assignment_group.toString();

// Check if the current user is a member of the 'assignment_group'
return isUserInGroup(gs.getUserID(), assignmentGroup);

// Function to check if the user is in the specified group
function isUserInGroup(userId, groupId) {
    var grMember = new GlideRecord('sys_user_grmember');
    grMember.addQuery('user', userId);
    grMember.addQuery('group', groupId);
    grMember.query();
    return grMember.hasNext(); // Returns true if the user is a member of the group
}

 


Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
0 Helpfuls