ACL to allow a delegate of an approver see the attachment

matt_a · ‎05-08-2019

Can someone assist in an ACL that will allow a delegate of an approver the ability to read the attachments on the tickets?

I can see the existing ACL for the approver:

answer = getAttachmentApproverRead();

function getAttachmentApproverRead() {
    
    var user = gs.getUserID();
    var gr = new GlideRecord('sysapproval_approver');
        gr.addQuery('document_id',current.table_sys_id);
        gr.addQuery('approver', user);
        gr.query();

        if (gr.next()) {
            return true;
        }
    

}

Please could someone assist me in changing this script to allow delegates access as well?

Many thanks in advance

matt_a · ‎05-09-2019

Hi Ankur,

I managed to figure it out but needed to restructure your script to read:

answer = getAttachmentApproverRead();

function getAttachmentApproverRead() {
    var user = gs.getUserID();
    var gr = new GlideRecord('sysapproval_approver');
        gr.addQuery('document_id',current.table_sys_id);
        gr.addQuery('approver', user);
        gr.query();
        if (gr.next()) 
        {
            return true;
        }
		else
		{
			var gr_approver = new GlideRecord('sysapproval_approver');
			gr_approver.addQuery('document_id',current.table_sys_id);
			gr_approver.query();
			if (gr_approver.next()) 
			{
				var userDelegate = new GlideRecord('sys_user_delegate');
				userDelegate.addQuery('user', gr_approver.approver);
				userDelegate.addQuery('delegate' ,user);
				userDelegate.query();
				if(userDelegate.next())
				{
						return true;
				}
			}
        }			
}

View solution in original post

Ankur Bawiskar · ‎05-08-2019

Hi Matt,

Can you check whether any record in sys_user_delegate table for that approver is present or not?

Also check by adding log statements

enable security debugging and check which ACL is failing?

Regards

Ankur

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

matt_a · ‎05-09-2019

Yes, there is a record.

In relation to debugging, this is what makes it tricky. The user access the approval record via the service portal and I cant find a solution to debug acl's in the portal.

matt_a · ‎05-09-2019

Hi Ankur,

I managed to figure it out but needed to restructure your script to read:

answer = getAttachmentApproverRead();

function getAttachmentApproverRead() {
    var user = gs.getUserID();
    var gr = new GlideRecord('sysapproval_approver');
        gr.addQuery('document_id',current.table_sys_id);
        gr.addQuery('approver', user);
        gr.query();
        if (gr.next()) 
        {
            return true;
        }
		else
		{
			var gr_approver = new GlideRecord('sysapproval_approver');
			gr_approver.addQuery('document_id',current.table_sys_id);
			gr_approver.query();
			if (gr_approver.next()) 
			{
				var userDelegate = new GlideRecord('sys_user_delegate');
				userDelegate.addQuery('user', gr_approver.approver);
				userDelegate.addQuery('delegate' ,user);
				userDelegate.query();
				if(userDelegate.next())
				{
						return true;
				}
			}
        }			
}

J_47 · ‎03-26-2021

I am having similar kind of issue, we have one custom table under scoped application.

Below is the read ACL on that table which is not working for delegation.

==========script===========

var user_id = gs.getUserID();
isCreatorOrApprover(user_id);

var grApprover = new GlideRecord('sysapproval_approver');
grApprover.addQuery('approver', user_id);
grApprover.addQuery('sysapproval', current.sys_id);
grApprover.query();

if (grApprover.next()) {
// answer = true;
return true;
}
return false;
}

============================================

1st and last scenario is working but the second scenario for delegation is not working.

Can someone help ?