ACL script appears not to work properly even with "Admin overrides" disabled

mechamberlain
Mega Expert

‎02-25-2015 02:09 PM

I'm new to ServiceNow and I'm trying to do something that *should* be easy...but I must be missing something obvious.   I have the need to restrict access (read access in this example) to a particular field (IP Address) on the cmdb_ci table based on a user role AND the value of another field (Category) on the table.

Specifically, if the Category of the record is "CIP Asset", read access should only be granted to those with the "Talen_Read_CCAI" role.   If the category is anything else, users without the "Talen_Read_CCAI" role should have read access.

I've created the following ACL, which works perfectly except for anyone who has the "admin" role.   They have read access to the IP Address field on "CIP Asset" items regardless of the ACL being in place and not having the "Talen_Read_CCAI" role:

Access Control

Type: record

Operation: read

Name: cmdb_ci.ip_address

Active: yes

Admin overrides: no

Condition: none

Script:

        answer = ((current.category!='CIP Asset') || gs.hasRole('Talen_Read_CCAI'));

Required roles: none

It almost seems that admin override is still enabled, even though the checkbox is not checked on the ACL.

Any input would be appreciated.   It's a Eureka instance.

Best regards.

Marty

0 Helpfuls
  • 4,325 Views
15 REPLIES 15

sudharsanv36
Kilo Guru

‎02-26-2015 01:12 AM

Using if statement, check the condition and return 'TRUE' or 'FALSE', I think that will work.


0 Helpfuls

Harish Murikina
Tera Guru

‎02-26-2015 01:16 AM

Hi Martin,



                              Debug the ACLs


Click below link to more info to debug.


http://wiki.servicenow.com/index.php?title=Using_Access_Control_Rules#Debugging


0 Helpfuls

mechamberlain
Mega Expert
In response to Harish Murikina

‎02-26-2015 06:06 AM

Harish:



Thank you for the suggestion.   I have already done debugs and the results seem to point to "admin" still overriding the field-level ACL, even though the "Admin overrides" checkbox on the field-level ACL is unchecked.



Below are some debug examples:



Scenario #1: A user without "admin" role and without "Talen_Read_CCAI" role.   Works correctly (IP Address field not readable) and the debug indicates the ACL script result was False as expected:



NoAdmin-NoCCAI.jpg



Scenario #2: Same user without "admin" role and with "Talen_Read_CCAI" role added.   Works correctly (IP Address field is now readable) and the debug indicates the ACL script result was True as expected:



NoAdmin-CCAI.jpg



Scenario #3: Same user with "admin" role added and without "Talen_Read_CCAI" role.   Does not work correctly (IP Address field is readable) and the debug indicates the ACL script result was True, which is unexpected:


Admin-NoCCAI.jpg



It really seems that the "Admin overrides" checkbox on the ACL is not working as I'd expect as simply adding the "admin" role to the user causes the ACL to permit the field-level access



Any additional suggestions are appreciated.


Preview file
71 KB
Preview file
54 KB
Preview file
52 KB
0 Helpfuls

Harish Murikina
Tera Guru
In response to mechamberlain

‎02-26-2015 06:14 AM

Could you check once by cleraing cache



Just enter cache.do


it will clear the cache


0 Helpfuls