ACL script appears not to work properly even with "Admin overrides" disabled

mechamberlain
Mega Expert

‎02-25-2015 02:09 PM

I'm new to ServiceNow and I'm trying to do something that *should* be easy...but I must be missing something obvious.   I have the need to restrict access (read access in this example) to a particular field (IP Address) on the cmdb_ci table based on a user role AND the value of another field (Category) on the table.

Specifically, if the Category of the record is "CIP Asset", read access should only be granted to those with the "Talen_Read_CCAI" role.   If the category is anything else, users without the "Talen_Read_CCAI" role should have read access.

I've created the following ACL, which works perfectly except for anyone who has the "admin" role.   They have read access to the IP Address field on "CIP Asset" items regardless of the ACL being in place and not having the "Talen_Read_CCAI" role:

Access Control

Type: record

Operation: read

Name: cmdb_ci.ip_address

Active: yes

Admin overrides: no

Condition: none

Script:

        answer = ((current.category!='CIP Asset') || gs.hasRole('Talen_Read_CCAI'));

Required roles: none

It almost seems that admin override is still enabled, even though the checkbox is not checked on the ACL.

Any input would be appreciated.   It's a Eureka instance.

Best regards.

Marty

0 Helpfuls
  • 4,328 Views
15 REPLIES 15

mechamberlain
Mega Expert
In response to Harish Murikina

‎02-26-2015 06:21 AM

Harish,



I cleared the cache (cache.do) and unfortunately experienced the same result (Scenario #3 above).



Best regards,


Marty


0 Helpfuls

Anurag Tripathi
Mega Patron
Mega Patron

‎02-26-2015 01:22 AM

Change the script part like this



Script:


  if((current.category!='CIP Asset') || gs.hasRole('Talen_Read_CCAI'))


{


answer =true;


}


else


{


answer =false;


}


-Anurag
0 Helpfuls

mechamberlain
Mega Expert
In response to Anurag Tripathi

‎02-26-2015 06:09 AM

Anurag,



Thank you for the suggestion.   I tried the change you suggested and it has the same result, as I would have expected.   See my reply to Harish Murikinati above for debugging scenarios.



Best regards,


Marty


0 Helpfuls

Anurag Tripathi
Mega Patron
Mega Patron
In response to mechamberlain

‎02-26-2015 06:23 AM

Are you on a domain separated environment?


-Anurag
0 Helpfuls

mechamberlain
Mega Expert
In response to Anurag Tripathi

‎02-26-2015 06:29 AM

I am using a test instance set up for us by ServiceNow.   Sorry I'm not sure exactly what you mean by "domain separated" environment.


0 Helpfuls