Approval Summarizer ACL Trouble on Requested Item

jlaps · ‎12-21-2022

On the Portal view, non-itil users that use the portal to action their approvals are NOT seeing the approval summarizer information from RITM approvals. Admins can see it fine. The ACL is present that does the voodoo and I believe this part is correct-

I do not understand exactly how the above works. I can see in my UI MACROS there are several summarizers, some with default in the name, some with RITM or requested item... how do I know which is being used? How do I determine if the above ACL is the one failing vs...

var answer = false;
var gr = new GlideRecord('sysapproval_approver');
gr.addQuery('sysapproval', current.sys_id);
gr.query();

// Check to see if this user is an approver for the record
while (gr.next()) {
	if (gr.approver == gs.getUserID()) {
		answer = true;
		//gs.log('ACL sc_req_item READ: Allowing approver to read record ' + current.number);
	}
	else {
		// If not the approver, check to see if the user is a delegate for this record's approver
		var now = new GlideDateTime();
		del = new GlideRecord('sys_user_delegate');
		del.addQuery('user', gr.approver);
		del.addQuery('delegate', gs.getUserID());
		del.addQuery('starts', '<', now);
		del.addQuery('ends', '>', now);
		del.query();
		if (del.next()) {
			answer = true;
			//gs.log('ACL sc_req_item READ: User is a delegate for approver on ' + current.number);
		}
	}
}

It would certainly seem the above ACL is not helping from the portal view for non itil.

Any tips on where to start looking?

Steve Craggs · ‎12-21-2022

I have faced the same issue with non itil users approving.

My solution was to add both the approver_user & sn_request_approver_read roles to the user/group the approval is getting assigned to.

The role is used for a read ACL on both the sc_request & sc_req_item tables.

The ACL uses: new global.GlobalServiceCatalogUtil().canReadApprovingRecord() function

Hope this helps.

jlaps · ‎12-21-2022

Did you then add those roles to all your people then? We have some default roles that all users get for functionality, perhaps these two should be included? Seems odd. Maybe I can just inherit those roles with the current default roles or something.

I don't have a discrete list of "people that might get approvals". Anyone could get approvals, so anyone should be able to see them- at least in my instance.

jlaps · ‎12-21-2022

I dont seem to have sn_request_approver_read role at all, and the other one adding made no difference. Looking into your UTIL function to see if I can track down what is going on. Frustrating. Probably been this way forever too, but I bet I will take the heat when I bring it up, lol.

jlaps · ‎12-22-2022

Adding a couple screenshots of the portal, both what it looks like for non-itil looking at THEIR OWN approval record, and same thing with itil role added (and all that inherits). But the approver should be able to see the data here, but something is getting in the way that I don't know how to track down. Any ideas?