ACL Hierarchy

kailashthiyagar · ‎09-13-2017

Hi Sanjiv,

This is the continuation of our discussion "ACL for Extended table". Right now, in my personal instance, i created a table "EUTS Demand" in my custom scope. I created ACL with the role as "EUTS Admin". Added "Abel Tuter" to the role as well

The initial ACL which got created by default has the name as "Table". "None". When i impersonated as "Abel", all the fields are coming as "Read only" when i try to create a new record in "EUTS Demand".

I created another Write ACL with the name as "Table"."*", and "Create" ACL with the name as "Table"."*" then when i impersonated as "Abel", i m able to see all the records coming as editable.

Q:In normal table creation(not the extended ones), an ACL with name "Table"."None" would work when we add the user but its not working here..

Still there are some fields which are referenced to other tables are not even appearing on the form, "Goal", "Program", "Work Notes", "Watch List". why???

This is my personal instance, i guess you can request admin password. If not let me know.

ServiceNow

SanjivMeher · ‎09-13-2017

Yes. You need to have the parent table role in child as well.

For example incident, if you extend incident for scoped app, the new role should have itil. One of the reasons is ServiceNow wont be ableto count how many itil licenses you are consuming.

Also for the edit/delete worknotes, you need to create your own script and either disable or add condition on the Global script to not run when sys_class_name is your new table.

Please mark this response as correct or helpful if it assisted you with your question.

View solution in original post

SanjivMeher · ‎09-13-2017

Yes. You need to have the parent table role in child as well.

For example incident, if you extend incident for scoped app, the new role should have itil. One of the reasons is ServiceNow wont be ableto count how many itil licenses you are consuming.

Also for the edit/delete worknotes, you need to create your own script and either disable or add condition on the Global script to not run when sys_class_name is your new table.

Please mark this response as correct or helpful if it assisted you with your question.

kailashthiyagar · ‎09-14-2017

Thanks sanjivmeher

In my personal instance, "Program" and "Impact" appears for the user who is part of the custom role which i created. But in my dev instance, those two are not appearing.. I checked the read roles and i have added the read roles to my custom role. but still its not appearing. Any suggestion on what can be checked?

kailashthiyagar · ‎09-14-2017

sanjivmeher

I have fixed the issue for "Impact", by adding a field level ACL but Program is not appearing.. I looked at the program table, its having a read ACL and it has the role of it_program_manager, and i added that role to my custom role too but still not working.

SanjivMeher · ‎09-14-2017

Did you remove the table.* acls from your dev instance. I have removed those as well from your personal instance which is field level access controls. Remove all acls except the table.None.

Please mark this response as correct or helpful if it assisted you with your question.

kailashthiyagar · ‎09-14-2017

Yes. I removed everything except the one with "None". But that didnt help. So i added one at the field level for impact. It resolved the issue for impact. For program field, in personal instance, here is the ACL for read

if ( gs.hasRole('project_user') || gs.hasRole('program_manager') || gs.hasRole('demand_user') || gs.hasRole('portfolio_manager') ) {

var sysClass = current.sys_class_name || current.getRecordClassName() || current.getTableName();

if ( PPMRoleClassMapper.validateAccess(gs.getUser(), sysClass) )

answer = true;

else

answer = false;

}

else

answer = true;

And in my dev instance here is the script . i b

if ( gs.hasRole('project_user') ) {

if ( PPMRoleClassMapper.validateAccess(gs.getUser(), current.sys_class_name) )

answer = true;

else

answer = false;

}

else

answer = true;

So what i did was i added it_project_user and project_user for my custom role but still its not working. any suggestion?