ACLs / Security rules should not have GlideRecord/GlideAggregate in script

Swarnalathay · ‎02-17-2025

Hi,
I want to avoid database lookups in Access Control rules. Please check the below script. Can we update the code differently (without GlideRecord queries)?

answer = false;

var appr = new GlideRecord("sysapproval_approver");

appr.addEncodedQuery("sysapproval=" + current.sys_id + "^");

appr.query();

while (appr.next()) {

if (appr.approver == gs.user_id()) {

answer = true;

}

Kieran Anson · ‎02-17-2025

Can you provide context on what your ACL is granting access to? Without that context, it'll be hard to suggest an improvement

Swarnalathay · ‎02-18-2025

Hi Kieran,
The ACL was to provide read access to the approvers for custom table based on the requests they have to approve.

Kieran Anson · ‎02-18-2025

The following can be used in a table read ACL

answer = (new global.ApproverUtils()).verify(current.getTableName(), current.getUniqueValue(), gs.getUserID());

Martin Friedel · ‎02-17-2025

Hello,

I assume you posted script of write ACL for sysapproval_approver record. Look for existing out-of-box ACL which does the same thing:

SysID: 80d52d76c0a8016654604f17e7afb1da

Script:

answer = gs.hasRole('approval_admin') || gs.hasRole('itil') || gs.hasRole('catalog') || (new ApprovalDelegationUtil().isMyApproval(current));

If my answer helped you, please mark it as correct and helpful, thank you 👍
Martin