acl restrict cmdb_ci to support_group

web48f
Tera Contributor

‎06-19-2024 07:57 AM

I have a story to restrict read access on: cmdb_ci.list for a certain group to only those rows that the logged in user is a member of the support_group of. By default any logged in user can see the whole list. I updated the default cmdb_ci read acl to include: 

if (gs.getUser().hasRole('certain_group')) {
    answer = false;
}

 

I have a read acl for cmdb_ci with the appropriate role and the script: 

answer = gs.getUser().isMemberOf(current.support_group.getDisplayValue());

 

however when the user visits cmdb_ci.list they get a result of only: Number of rows removed from this list by Security constraints: 20

 

They do not see the 86 CIs that they should see.


If I then apply the filter of support_group = their goup, i get the list of 86 CIs that they are the support group for.

 

Why does the acl work when I apply the filter, but when I try and look at the whole table it doesnt show the true results? I expect when looking at cmdb_ci without any filters the table acls would apply to every ci, and therefore weed out the ones I cant see, but I could be hitting some kind of limit since the base table is very large.

0 Helpfuls
  • 337 Views
1 REPLY 1

briannice
Kilo Sage

‎06-19-2024 08:09 AM

Hi @web48f 

 

You need to create a before query rules to filter the CIs on the list page.

I added some screenshots and script below for my solution. Don't forget to add the condition to the business rule.

 

Business rule - When to run tab

 

briannice_0-1718809646205.png

 

Business rule - Advanced tab

 

briannice_1-1718809666016.png

 

Business rule - Script

 

(function executeRule(current, previous /*null when async*/) {
	var groups = new global.ArrayUtil().convertArray(gs.getUser().getMyGroups());
	current.addQuery("support_group", "IN", groups);
})(current, previous);

 

 

0 Helpfuls