Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

ACL not working for Itil user

ABC6
Tera Contributor

‎11-28-2024 02:17 AM

Hi All,
I have a requirement where an itil user cannot be able to edit property field for which i have created a write ACL with below code and its not working, please help me to get this issue resolved

var checkRoles = gs.getSession().getRoles();
var userRole = current.getDisplayValue('u_property.u_company_roles');
var currentLoggedInUser = gs.getUser().hasRole('itil');
if (!current.isNewRecord()) {
     if (currentLoggedInUser && checkRoles.indexOf(userRole) == -1) {
        gs.log("razTest: Role " + userRole + " is not in session roles.");
        answer = false;
    }
    else if(checkRoles.indexOf(userRole) !== -1 ){
        answer=true
    }
}
0 Helpfuls
  • 743 Views
6 REPLIES 6

Simon Christens
Kilo Sage

‎11-28-2024 02:28 AM

Hi,

Try checking if you get what you expect in

var userRole = current.getDisplayValue('u_property.u_company_roles');

Do you expect company_roles to be 1 or several roles ? - because if its x,y,z then the exact order of the roles also comes into consideration. - Maybe you need to loop through each of the roles for additional checks

try using a background script to make some initial tests with your own user so that you can check whats going on regarding userRole and checkRoles

0 Helpfuls

ABC6
Tera Contributor
In response to Simon Christens

‎11-28-2024 02:30 AM

yes,

var userRole = current.getDisplayValue('u_property.u_company_roles');


it is giving us expected results

0 Helpfuls

Simon Christens
Kilo Sage
In response to ABC6

‎11-28-2024 02:47 AM

Its a bit hard to me to confirm that this works but try it out

Also remember to set answer if its a new record

var checkRoles = gs.getSession().getRoles();
var userRole = current.getDisplayValue('u_property.u_company_roles').split(',');
var currentLoggedInUser = gs.getUser().hasRole('itil');
var answer;
if (!current.isNewRecord()) {
	//if more roles in u_company_roles we need to go through each of them
    for (var i = 0; i < userRole.length; i++) {

        if (currentLoggedInUser && checkRoles.indexOf(userRole[i]) == -1) {
			//if answer becomes true then the user do have a company_role not being an itil user so we stop
			if(answer == true){
				break;
			}
            gs.log("razTest: Role " + userRole[i] + " is not in session roles.");
            answer = false;
        } else if (checkRoles.indexOf(userRole[i]) !== -1) {
            answer = true;
        }
    }
}
//What if its a new record ? then you need to set answer to either true or false
gs.info(answer);
0 Helpfuls

ABC6
Tera Contributor
In response to Simon Christens

‎11-28-2024 06:24 AM

it is also giving access to itil user , which i don't want, i have made a dynamic solution to handle company property so i made a list type field and gave the user_adv_admin role on that field and checked if those restricted properties have role, if its user_adv_admin user then all field should be editable and if it is itil then property field is grayed out for existing record

0 Helpfuls