- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā01-21-2025 11:11 AM - edited ā01-22-2025 05:50 AM
Hi Team,
I have a requirement to restrict certain roles so that only users with the security_admin role can assign them. Other users attempting to assign these roles should receive an error message.
To achieve this, I created a system property named de_priviliged_roles and added the roles admin, itil_admin and catalog_admin to it. I then updated the create ACL on the sys_user_has_role table with the following script:
var rmAPI = new SNC.RoleManagementAPI();
var restrictedRoles = gs.getProperty('de_privileged_roles', '').split(',');
var roleGR = new GlideRecord('sys_user_role');
roleGR.get(current.role);
if (!rmAPI.isAllowedToGrantRole(current.role)) {
answer = false;
} else {
if (restrictedRoles.indexOf(roleGR.name) !== -1) {
if (!gs.hasRole('security_admin')) {
gs.addErrorMessage('You are not allowed to modify the restricted role: ' + roleName);
answer = false;
} else {
answer = true;
}
} else {
answer = true;
}
}
This script is not working as intended. Non-security_admin users are still able to assign roles listed in de_privilaged_role .
Could you please review the script and advise on resolving this issue? @Ankur Bawiskar
Thank in advance!
Best regards,
SM
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā01-22-2025 11:55 AM
I was able to make it work by updating the script as below
var rmAPI = new SNC.RoleManagementAPI();
var restrictedRoles = gs.getProperty('de_privileged_roles', '').split(',');
var isRole = 0;
var roleGR = new GlideRecord('sys_user_role');
roleGR.get(current.role);
if (!rmAPI.isAllowedToGrantRole(current.role)) {
answer = false;
} else {
for (var i in restrictedRoles) {
if (restrictedRoles[i] == roleGR.name) {
isRole = 1;
break;
}
}
if (isRole == 1) {
if (!gs.hasRole('security_admin')) {
gs.addErrorMessage('You are not allowed to modify the restricted role: ' + roleGR.name);
answer = false;
} else {
answer = true;
}
} else {
answer = true;
}
}- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā01-21-2025 01:27 PM
Your script seems to have the right idea but is missing some critical pieces to enforce the restriction effectively. Here's an example code of your ACL script to ensure that only users with the security_admin role can assign roles listed in the de_privileged_roles property:
(function executeRule() {
var rmAPI = new SNC.RoleManagementAPI();
var restrictedRoles = gs.getProperty('de_privileged_roles', '').split(',');
var roleGR = new GlideRecord('sys_user_role');
// Ensure the role being assigned exists
if (roleGR.get(current.role)) {
// Check if the role is restricted
if (restrictedRoles.indexOf(roleGR.name) !== -1) {
// Check if the user assigning the role has security_admin
if (!gs.hasRole('security_admin')) {
gs.addErrorMessage('You are not allowed to modify the restricted role: ' + roleGR.name);
answer = false;
return;
}
}
}
// Check if user is allowed to grant the role using RoleManagementAPI
if (!rmAPI.isAllowedToGrantRole(current.role)) {
answer = false;
return;
}
answer = true; // Allow if all checks pass
})();
ÉŖź° į“Ź į“É“ź±į“”į“Ź Źį“ź± Źį“Źį“į“į“ į“”ÉŖį“Ź Źį“į“Ź Qį“į“ź±į“ÉŖį“É“, į“Źį“į“ź±į“ į“į“Źį“ į“Ź į“É“ź±į“”į“Ź į“ź± į“Źį“ į“į“į“į“į“į“į“į“ ź±į“Źį“į“ÉŖį“É“ į“É“į“ É¢ÉŖį“ į“ į“ į“Źį“į“Źź± į“į“.
Źį“ź±į“ Źį“É¢į“Źį“ ź±
ź±Źį“į“Źį“į“
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā01-21-2025 01:29 PM
Below are the changes made:
- Fixed Role Name Retrieval: The roleName variable was undefined. I replaced it with roleGR.name for better clarity.
- Validation of Role Record: Added a check to ensure the role record (current.role) exists before performing further checks.
- Restrict Role Assignment:
- Only restrict roles listed in de_privileged_roles.
- Ensure the restriction applies only to users without the security_admin role.
- RoleManagementAPI Integration:
- The isAllowedToGrantRole check ensures system-level restrictions are enforced in addition to your custom restrictions.
- Error Messaging: Clearer error messaging when a non-security_admin user tries to assign a restricted role.
ÉŖź° į“Ź į“É“ź±į“”į“Ź Źį“ź± Źį“Źį“į“į“ į“”ÉŖį“Ź Źį“į“Ź Qį“į“ź±į“ÉŖį“É“, į“Źį“į“ź±į“ į“į“Źį“ į“Ź į“É“ź±į“”į“Ź į“ź± į“Źį“ į“į“į“į“į“į“į“į“ ź±į“Źį“į“ÉŖį“É“ į“É“į“ É¢ÉŖį“ į“ į“ į“Źį“į“Źź± į“į“.
Źį“ź±į“ Źį“É¢į“Źį“ ź±
ź±Źį“į“Źį“į“
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā01-21-2025 08:17 PM
Hi @sreeram_nair ,
I am trying to achieve this in ACL hence updated create ACL on sys_user_has_role table. I update your script accordingly removed function and return but its not working.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā01-22-2025 06:01 AM
why not handle this using before insert BR?
If my response helped please mark it correct and close the thread so that it benefits future readers.
Ankur
āØ Certified Technical Architect || āØ 9x ServiceNow MVP || āØ ServiceNow Community Leader
