Advanced script on ACL - role based restrictions

Go to solution
curtisr
Kilo Expert

‎05-24-2016 09:37 AM

I have a strange issue with an advanced script on an ACL. I have a new role called "itil_restricted", which inherits "itil" as it is IT without the ability to manage change or problem. So on the create rule for the problem table I have created a new rule with the conditions of this advanced script:

if(gs.hasRole('itil') && !gs.hasRole('itil_restricted'))
   {
   answer = true;
}
else {
   answer = false;
}

The thought behind it is everyone with the "itil" role and without the "itil_restricted" role will be able to create on the problem table. What is happening is when this ACl is active no one can modify/create. So the lock down part is good, just not the when to lock down. I turn this one off and everyone has full access again.

I feel like I am missing something elementary here.

Labels:
0 Helpfuls
  • 31,715 Views
1 ACCEPTED SOLUTION

Go to solution
Chris M3
Tera Guru
In response to curtisr

‎05-24-2016 10:18 AM

You're an admin though. (I assume), even if you don't have the role, you have the role according to gs.hasRole


Switch it to gs.hasRoleExactly(), or impersonate a non-admin.


View solution in original post

12 REPLIES 12

Go to solution
Dave Smith1
ServiceNow Employee
ServiceNow Employee
In response to curtisr

‎10-17-2016 08:55 AM

Yeah, for all I know it worked fine in Fuji but was deprecated in Geneva onwards... all I can tell is that I was headbutting wall for some time until I did your fix!


0 Helpfuls

Go to solution
Anurag Tripathi
Mega Patron
Mega Patron

‎05-24-2016 10:04 AM

Run this to see what is the code flow




  1. gs.log(gs.hasRole('itil'));
  2. gs.log(gs.hasRole('itil_restricted'));
  3. if(gs.hasRole('itil') && !gs.hasRole('itil_restricted'))  
  4.   {
  5.     gs.log('1');
  6.   answer = true;  
  7. }  
  8. else {  
  9.   gs.log('2');
  10.   answer = false;  
  11. }  
-Anurag

Go to solution
curtisr
Kilo Expert
In response to Anurag Tripathi

‎05-24-2016 10:18 AM

Excellent step in troubleshooting, thank you Anurag.



I have entered this into the advanced script. It is returning 2 (false) for both int he logs for my user even though I do not have the itil_restricted role. I am thinking my approach on the role is what is wrong here, not the script. Currently the itil_restricted role is inheriting the itil role. But it seems that the itil role members (myself in this case) are being tagged with this as well?



Am I wrong in my thought process & misunderstanding how roles & inheritance works?


0 Helpfuls