ACL script appears not to work properly even with "Admin overrides" disabled
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2015 02:09 PM
I'm new to ServiceNow and I'm trying to do something that *should* be easy...but I must be missing something obvious. I have the need to restrict access (read access in this example) to a particular field (IP Address) on the cmdb_ci table based on a user role AND the value of another field (Category) on the table.
Specifically, if the Category of the record is "CIP Asset", read access should only be granted to those with the "Talen_Read_CCAI" role. If the category is anything else, users without the "Talen_Read_CCAI" role should have read access.
I've created the following ACL, which works perfectly except for anyone who has the "admin" role. They have read access to the IP Address field on "CIP Asset" items regardless of the ACL being in place and not having the "Talen_Read_CCAI" role:
Access Control
Type: record
Operation: read
Name: cmdb_ci.ip_address
Active: yes
Admin overrides: no
Condition: none
Script:
answer = ((current.category!='CIP Asset') || gs.hasRole('Talen_Read_CCAI'));
Required roles: none
It almost seems that admin override is still enabled, even though the checkbox is not checked on the ACL.
Any input would be appreciated. It's a Eureka instance.
Best regards.
Marty
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-26-2015 06:41 AM
Hi Martin,
I think you're running into a particular behavior with the has role function. One of the unique parts about being an admin user is that the hasRole() will ALWAYS return true for the admin whether they have a role explicitly or not.
http://wiki.servicenow.com/index.php?title=GlideSystem#hasRole.28String.29
You might try using a group to manage this instead of a role and using isMemberOf()
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-26-2015 06:50 AM
Brad,
Thanks. I totally missed this in the Method description of the hasRole() function:
"Returns true if the current user has the specified role or the admin role."
I'll give that a try!
Marty
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2015 05:17 PM
Try adding gs.hasRole("admin"); also in your script part .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2015 04:43 AM
Amlesh,
Has this worked successfully for you?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2015 10:26 AM
Yes Martin . If you want to add security rule for Admin as well, just use the following code in your script .
answer = ! gs.hasRole("admin");
