ACL to control visibility in list view HRSD for sn_hr_core_profile table.

Don Dom · ‎07-25-2024

Hello.

I have "funny" requirement for ACL.

I have 3 users in "sn_hr_core_profile" table

in sys_user table:

Abel: got "sn_hr_core.basic" role.

Abraham: got only "itil" role.

Adela: got super hr user role: "sn_hr_core.hr4hr" which contains "sn_hr_core.basic" role.

When I login as ABEL and open "sn_hr_core_profile" table I should see only ABRAHAM and MINE (ABEL) profile:

And when I login as ADELE and open "sn_hr_core_profile" table I should see all ABRAHAM, ABEL, MINE (ADELE) profiles:

how to script in in ACL? Or anything else?

This is "security" requirement that HR person should see only HIS and NOT other HR PERSONS profiles in "sn_hr_core_profile" table.

Any idea how it could be done? Like "dynamic" filtering of a list view? ACL? BR? any idea please? This requirement is a bit "creazy" 😉

Please advise.

Thank you.

I got something like but it cuts me all rows as ABEL:

// 1. If user does not have 'sn_hr_core.basic' or 'sn_hr_core.hr4hr', deny access
if (!gs.hasRole('sn_hr_core.basic') || !gs.hasRole('sn_hr_core.hr4hr')) {
        answer = false;
    }
 
// 2. If user has 'sn_hr_core.hr4hr' role, allow access to all fields
    if (gs.hasRole('sn_hr_core.hr4hr')) {
        answer = true;
    }
// 2. If user has 'sn_hr_core.basic' role, allow access to table BUT:
if (gs.hasRole('sn_hr_core.basic') && !gs.hasRole('sn_hr_core.hr4hr')) {

// answer = true;

        var profile = new GlideRecord('sn_hr_core_profile');
        if (profile.get(current.sys_id)) {
            // Check if the record belongs to the user
            var profileOwnerId = profile.getValue('user');
            var currentUser = gs.getUserID();
            // 4. If it's not the user's own profile, deny access
            if (profileOwnerId != currentUser) {
                answer = false;
            } else {
                // 5. If it's the user's own profile, allow access
                answer = true;
            }
        } else {
            // If the record is not found, deny access
            answer = false;
        }
    } else {
        // If user has 'sn_hr_core.basic' role and is not HR4HR, deny access
        answer = false;
    }

Satishkumar B · ‎07-25-2024

Hi @Don Dom
you can achieve this by using Before Query Business rule on you "sn_hr_core_profile" table.
you can refer the below code for you reference and updated accordingly . this will work. I had a same requirement.

(function executeRule(current, previous /*null when async*/) {

    // Get the current user's Sys ID and roles
    var userSysID = gs.getUserID();
    var user = gs.getUser();

    // Define variables
    var hrProfileTable = 'sn_hr_core_profile';
    var hrProfileUserField = 'user';
    var combinedSysIds = [];

    // Check if the user has the Super HR role
    if (user.hasRole('sn_hr_core.hr4hr')) {
        // Super HR can see all profiles, so no query modification needed
        return;
    }

    // Check if the user has the Basic HR role
    if (user.hasRole('sn_hr_core.basic')) {

        // Add the current user's own profile
        var ownProfileGr = new GlideRecord(hrProfileTable);
        ownProfileGr.addQuery(hrProfileUserField, userSysID);
        ownProfileGr.query();
        while (ownProfileGr.next()) {
            combinedSysIds.push(ownProfileGr.getValue('sys_id'));
        }

        // Add profiles of users who do not have the Basic HR role
        var nonHrProfilesGr = new GlideRecord(hrProfileTable);
        nonHrProfilesGr.addEncodedQuery('user.roles!=sn_hr_core.basic');
        nonHrProfilesGr.query();
        while (nonHrProfilesGr.next()) {
            combinedSysIds.push(nonHrProfilesGr.getValue('sys_id'));
        }

        // Apply the filter to the current query
        if (combinedSysIds.length > 0) {
            current.addQuery('sys_id', 'IN', combinedSysIds.join(','));
        } else {
            current.setAbortAction(true);
        }

    } else {
        // Users without HR roles should not see any profiles
        current.setAbortAction(true);
    }

})(current, previous);

……………………………………………………………………………………………………

Please Mark it helpful 👍and Accept Solution✔️!! If this helps you!!

View solution in original post

Satishkumar B · ‎07-25-2024

Hi @Don Dom
you can achieve this by using Before Query Business rule on you "sn_hr_core_profile" table.
you can refer the below code for you reference and updated accordingly . this will work. I had a same requirement.

(function executeRule(current, previous /*null when async*/) {

    // Get the current user's Sys ID and roles
    var userSysID = gs.getUserID();
    var user = gs.getUser();

    // Define variables
    var hrProfileTable = 'sn_hr_core_profile';
    var hrProfileUserField = 'user';
    var combinedSysIds = [];

    // Check if the user has the Super HR role
    if (user.hasRole('sn_hr_core.hr4hr')) {
        // Super HR can see all profiles, so no query modification needed
        return;
    }

    // Check if the user has the Basic HR role
    if (user.hasRole('sn_hr_core.basic')) {

        // Add the current user's own profile
        var ownProfileGr = new GlideRecord(hrProfileTable);
        ownProfileGr.addQuery(hrProfileUserField, userSysID);
        ownProfileGr.query();
        while (ownProfileGr.next()) {
            combinedSysIds.push(ownProfileGr.getValue('sys_id'));
        }

        // Add profiles of users who do not have the Basic HR role
        var nonHrProfilesGr = new GlideRecord(hrProfileTable);
        nonHrProfilesGr.addEncodedQuery('user.roles!=sn_hr_core.basic');
        nonHrProfilesGr.query();
        while (nonHrProfilesGr.next()) {
            combinedSysIds.push(nonHrProfilesGr.getValue('sys_id'));
        }

        // Apply the filter to the current query
        if (combinedSysIds.length > 0) {
            current.addQuery('sys_id', 'IN', combinedSysIds.join(','));
        } else {
            current.setAbortAction(true);
        }

    } else {
        // Users without HR roles should not see any profiles
        current.setAbortAction(true);
    }

})(current, previous);

……………………………………………………………………………………………………

Please Mark it helpful 👍and Accept Solution✔️!! If this helps you!!

Satishkumar B · ‎07-25-2024

Hi @Don Dom
if my response helped you, could you please mark it as solution as it helps the other people in the community.
thanks !! Happy learning

……………………………………………………………………………………………………

Please Mark it helpful 👍and Accept Solution✔️!! If this helps you!!