Allow List View but Prevent Users From Opening the Form

tiguin2798 · ‎08-27-2024

Hello, I have a business rule that is working correctly to restrict our InfoSec tickets based on a custom role to only those users with the role. The issue here is that CAB cannot seem to relate those incidents to Changes or see incidents that have been related. The CAB team only needs the list view to be able to have these incidents as related records, but does not need access to open the forms. Below is my code for the business rule restricting access. I thought adding the secondary custom CAB role and then creating an onLoad client script only containing the infosec role might achieve, but in then makes the infosec incidents hidden again.

Any way I can achieve this?

(function executeRule(current, previous /*null when async*/ ) {
	// if user does not have 'lgfcu_ir_infosec' role,It will appear on the basis of encoded query
    if (!gs.hasRole("xxxxx_ir_infosec, xxxx_CAB")) { 
        current.addEncodedQuery('subcategory!=ir_external_internet^ORsubcategory=NULL^subcategory!=ir_legal_support^ORsubcategory=NULL^subcategory!=ir_loss_of_equipment^ORsubcategory=NULL^subcategory!=ir_malicious_code^ORsubcategory=NULL^subcategory!=ir_personnel^ORsubcategory=NULL^subcategory!=ir_triage^ORsubcategory=NULL'); // filter on IR subcategories
    } else {
		//if user has the role "xxxxx_ir_infosec"
        return;
    }
})(current, previous);

Community Alums · ‎08-27-2024

Hi @tiguin2798 ,

Create an ACL for the role.

In case, you still wish to avoid ACL you need to create a before update BR to abort the action from list view .

tiguin2798 · ‎09-04-2024

I attempted to create the ACL and Business rule but it appeared that the ACL was overwriting other read ACLs for 'itil' users although the conditions were filtered. I have another query business rule to hide certain infosec tickets for users without our custom infosec role based on the subcategory. I added my other role to the business rule and this allows those users to view the list. I thought adding the below onLoad client script would prevent them from opening records and redirect back to the list, but it is not functioning and users with the other role can still open records. Can you please advise if changes are needed as I am new to javascript.

function onLoad() {
    var restrictedRole = 'xxxxx_CAB_all_standard_read';
    var currentRecordId = g_form.getUniqueValue();

    function userHasRole(roleName, callback) {
        var ga = new GlideAjax('UserRoleCheck');
        ga.addParam('role_name', roleName);
        ga.getXMLAnswer(function(response) {
            callback(response === 'true');
        });
    }

    function checkFilterCriteria(callback) {
        var filterGa = new GlideAjax('InfoSecQueryFilterCheck');
        filterGa.addParam('sys_id', currentRecordId);
        filterGa.getXMLAnswer(function(response) {
            callback(response === 'true');
        });
    }

    function redirectToListView() {
        var listViewUrl = window.location.origin + '/incident_list.do?sysparm_userpref_module=4fed4395c0a8016400fcf06c27b1e6c6&sysparm_query=active%3Dtrue%5EEQ%26active%3Dtrue';
        window.location.href = listViewUrl;
    }

    userHasRole(xxxxx_CAB_all_standard_read, function(hasRole) {
        if (hasRole) {
            checkFilterCriteria(function(meetsCriteria) {
                if (meetsCriteria) {
                    redirectToListView();
                }
            });
        }
    });
}

Where I have 'InfoSecQueryFilterCheck' this is a script includes with the following. I am curious if there could potentially be an error here as well.

var QueryFilterCheck = Class.create();
QueryFilterCheck.prototype = Object.extendsObject(AbstractAjaxProcessor, {

    checkFilter: function() {
        var currentRecord = this.getParameter('sys_id');
        var gr = new GlideRecord('incident');

        gr.addQuery('sys_id', currentRecord);
        gr.addQuery('subcategory', '=', 'ir_external_internet');
        gr.addQuery('subcategory', '=', 'ir_legal_support');
        gr.addQuery('subcategory', '=', 'ir_loss_of_equipment');
        gr.addQuery('subcategory', '=', 'ir_malicious_code');
        gr.addQuery('subcategory', '=', 'ir_personnel');
        gr.addQuery('subcategory', '=', 'ir_triage');

        gr.query();

        if (gr.next()) {
            return 'true';
        }
        return 'false';
    }
});

tiguin2798 · ‎09-06-2024

I have made a lot of progress on this by reconfiguring my client script. When opening the form with the conditions it is now redirecting users with this role to the list view in legacy. Service Operations Workspace does not seem to be a way to abort the tab from opening, but I have changed it to instead hide all form fields and a custom tab. This is working great! The last thing I need for this to be functional is to also hide the journal entries (work notes and additional comments).

I tried with the following code, but it is not working as intended. Some assistance with this would be greatly appreciated! Thank you in advance.

function onLoad() {
    // Check if the user has the role 'xxxxx_CAB_all_standard_read'
    if (g_user.hasRole('xxxxx_CAB_all_standard_read')) {
        // Check if the table is 'incident'
        if (g_form.getTableName() === 'incident') {
            // Get the subcategory value from the form field
            var subcategory = g_form.getValue('subcategory');
            
            // Define the list of subcategories that should trigger the field hide
            var restrictedSubcategories = [
                'ir_external_internet', 
                'ir_legal_support', 
                'ir_loss_of_equipment', 
                'ir_malicious_code', 
                'ir_personnel', 
                'ir_triage'
            ];
            
            // Check if the subcategory is in the list
            if (restrictedSubcategories.indexOf(subcategory) > -1) {
                // Hide all form fields
                var allFields = g_form.getEditableFields(); // Get all editable fields
                allFields.forEach(function(field) {
                    g_form.setDisplay(field, false); // Hide each field
                });
                
                // Specific fields for journal entries
                var journalFields = [
                    'work_notes', // Work Notes field
                    'comments' // Additional Comments field (or 'additional_comments' depending on your setup)
                ];
                
                // Hide journal entry fields
                journalFields.forEach(function(field) {
                    g_form.setDisplay(field, false); // Hide the journal entry fields
                });

                // Hide the form section by its name (e.g., "Security Incident Response")
                var sectionName = 'Security Incident Response'; // Update with the actual section name or ID
                g_form.setSectionDisplay(sectionName, false); // Hide the section
                
                // Optionally, hide the form header and buttons (if needed)
                g_form.setDisplay('header', false); // Hide form header
                g_form.setDisplay('sysverb_update', false); // Hide update button
                g_form.setDisplay('sysverb_insert', false); // Hide insert button
                g_form.setDisplay('sysverb_delete', false); // Hide delete button

                // Show a custom error message
                g_form.addErrorMessage('You do not have permissions to view this page');
            }
        }
    }
}