Allow only admins and script includes or ajax calls to access a specific field

Karl Dietrich · ‎01-26-2022

Hello there,

I have a special problem. I want to restrict the Access to one field so that only admins can read the field so far so good, but I need some Script Includes and Glide Ajax calls to be able to read the field because it is needed for some requests.

How would I approach this issue?

In List and Forms Views the field should be unavailable, so I create an ACL for that, but is there a way to differentiate between the "normal" access calls and the "ajax" or script include calls for that field?

Thanks in advance for your help 🙂

P.S. I hope the Image helps with my wacky explanation

Karl Dietrich · ‎01-30-2022

Ahhh okay I see I wanted to over engineer my solution, you just need to create an ACL with a role and the normal users wont see the field and business rules/script includes ignore that ACL anyway when you use GlideRecord.

View solution in original post

Maik Skoddow · ‎01-26-2022

Hi

yes, basically this is possible with the help of ACLs

But I am really wondering about the "allow" path of Ajax/Script Include as this is a rather unsecure way. As a user who has no access to the at UI16 I could script in the browser console an Ajax call and will have access. This makes no sense to me!

Kind regards
Maik

Karl Dietrich · ‎01-26-2022

Hi Maik,
and how would I do that?

I plan on have some kind of exception list so not every ScriptInclude would have access, just some methods which I need. I also plan to encrypt the output but first I need a way to access the information for further use.

Kind regards,
Karl

Karl Dietrich · ‎01-30-2022

Ahhh okay I see I wanted to over engineer my solution, you just need to create an ACL with a role and the normal users wont see the field and business rules/script includes ignore that ACL anyway when you use GlideRecord.