Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Advanced Reference Qualifier only works for certain role

leslie8
Mega Expert

‎08-14-2015 11:12 AM

I have installed the Loaner Management application by Chuck Tomasi. This was made in an old version of ServiceNow and I have made it work in Fuji with some customization.

I am running into a major issue with the Advanced Reference Qualifier in the Record Producer on the field cmdb_ci.

The reference qualifier is designed to return only the particular loaner items that are available between the selected start and end date. Thus, if the loaner is already reserved for any date in between the selected date, it doesn't show up in the list.

This works great -- ONLY for users with the role "loaner_admin".   I noticed that any user that doesnt have that role, the reference qualifier isn't working! The reference field returns ALL of the items, even if they are already booked for the time period.

I tried logging in as a loaner_admin user and it works, but when I log in as a user with any other role, ALL of the items are available in the list and this results in a DOBULE booking. Yikes!

I then granted my test user the loaner_admin role and it worked. So, I know it has to do with an ACL on that role.

I experimented with the ACL rules, I added the role "user" to the "write" action on the cmdb_ci field but that did not solve the issue.

Reference Qualifier on cmdb_ci

javascript: new LoanerUtilsClient(current).availableCis(current.variables.item_type, current.variables.depot, current.variables.start_date, current.variables.end_date);

Labels:
0 Helpfuls
  • 3,557 Views
20 REPLIES 20

rob_pastore
ServiceNow Employee
ServiceNow Employee
In response to leslie8

‎08-14-2015 04:34 PM

If you remove the acl no one will have access.



Sent from my iPhone


0 Helpfuls

coryseering
ServiceNow Employee
ServiceNow Employee
In response to rob_pastore

‎08-14-2015 04:43 PM

Robert is correct; he is referring to the "Default Deny" nature of the High Security Settings:


https://wiki.servicenow.com/index.php?title=High_Security_Settings



You should *not* change this (and robert is obviously not suggesting that you do).



Tables and fields are not readable by users unless an ACL explicitly grants them access to them. If you remove all ALCs for a table, no one will be able to read or write to it. This is an intended feature- it means you are safe to create data tables in your instance and be assured that no one will have access to them until you allow it.



Some older instances have this set to "Always Allow" and use ACL's to deny access. This is a legacy configuration; it's very rare, and it's unlikely your instance is set up that way.



When you configure a read ACL for the loaner_request table, you are telling the system who is allowed to read those records. In the example I gave above, we were turning on read access for *everyone*. This is a common way to troubleshoot read access issues for a table- to either confirm or disprove ACLs as being a culprit. Your final configuration for this table is going to require some level of ACL to allow users to read from it. We are just trying to figure out what is currently blocking non-loaner_admins from having access during troubleshooting.


0 Helpfuls

leslie8
Mega Expert
In response to coryseering

‎08-14-2015 04:55 PM

Hello Sorry I should have been more clear. I disabled all of the ACLs except for the Allow All to Read on all fields.



Currently there are only these ACLs on the table:


Allow All to Read, Allow All to Write, Allow All to Create



This application was built in a very old version of ServiceNow, not to mention the previous administrator seemed to create some overlapping and conflicting ACLs, that's why I had disabled all of them, and then re-added the Allow All to Read.



I also noticed this error in the sys log. It is general to the service catalog so not sure if it is affecting this application.



CMS site data missing from table: [sc_catalog_site] sc_catalog: [e0d08b13c3330100c8b837659bba8fb4] content_site: [b85a09430d96810068789da3b86690b4]: no thrown error




I think I am going to rebuild this entire thing from scratch. It would benefit from being rebuilt in the Fuji scope anyway.Screen Shot 2015-08-14 at 7.45.44 PM.pngScreen Shot 2015-08-14 at 7.55.37 PM.png


Preview file
15 KB
Preview file
104 KB
0 Helpfuls

Nagaraja G
Tera Expert
In response to leslie8

‎03-31-2016 09:25 AM

Hi Lesile,


I got same issue



CMS site data missing from table: [sc_catalog_site] sc_catalog: [e0d08b13c3330100c8b837659bba8fb4] content_site: [253611776ff41600e5f880d44b3ee437]:



Please let me know how did you resolve.


Thanks,


Naga


0 Helpfuls

ruth4
Tera Contributor
In response to Nagaraja G

‎04-21-2016 06:17 AM

Hi Naga,



I went to sc_catalog_site.list and realized I has not defined a catalog site for our new portal. Once I defined the site and cms homepage there, the errors stopped.



Regards


Ruth