Assistance Needed with Restricting Role Assignment to security_admin

SM24
Giga Guru

Hi Team,

I have a requirement to restrict certain roles so that only users with the security_admin role can assign them. Other users attempting to assign these roles should receive an error message.

To achieve this, I created a system property named de_priviliged_roles and added the roles admin, itil_admin and catalog_admin to it. I then updated the create ACL on the sys_user_has_role table with the following script:

 

var rmAPI = new SNC.RoleManagementAPI();
var restrictedRoles = gs.getProperty('de_privileged_roles', '').split(',');
var roleGR = new GlideRecord('sys_user_role');
roleGR.get(current.role);
if (!rmAPI.isAllowedToGrantRole(current.role)) {
    answer = false;
} else {
    if (restrictedRoles.indexOf(roleGR.name) !== -1) {
        if (!gs.hasRole('security_admin')) {
            gs.addErrorMessage('You are not allowed to modify the restricted role: ' + roleName);
            answer = false;
        } else {
            answer = true;
        }
    } else {
        answer = true;
    }
}

 

This script is not working as intended. Non-security_admin users are still able to assign roles listed in de_privilaged_role .

 

Could you please review the script and advise on resolving this issue? @Ankur Bawiskar 

Thank in advance!

 

Best regards,

SM

1 ACCEPTED SOLUTION

SM24
Giga Guru

I was able to make it work by updating the script as below 

var rmAPI = new SNC.RoleManagementAPI();
var restrictedRoles = gs.getProperty('de_privileged_roles', '').split(',');
var isRole = 0;
var roleGR = new GlideRecord('sys_user_role');
roleGR.get(current.role);
if (!rmAPI.isAllowedToGrantRole(current.role)) {
    answer = false;
} else {
    for (var i in restrictedRoles) {
        if (restrictedRoles[i] == roleGR.name) {
            isRole = 1;
            break;
        }
    }
    if (isRole == 1) {
        if (!gs.hasRole('security_admin')) {
            gs.addErrorMessage('You are not allowed to modify the restricted role: ' + roleGR.name);
            answer = false;
        } else {
            answer = true;
        }
    } else {

        answer = true;
    }
}

View solution in original post

6 REPLIES 6

sreeram_nair
Tera Guru

Your script seems to have the right idea but is missing some critical pieces to enforce the restriction effectively. Here's an example code of your ACL script to ensure that only users with the security_admin role can assign roles listed in the de_privileged_roles property:

 

(function executeRule() {
    var rmAPI = new SNC.RoleManagementAPI();
    var restrictedRoles = gs.getProperty('de_privileged_roles', '').split(',');
    var roleGR = new GlideRecord('sys_user_role');
    
    // Ensure the role being assigned exists
    if (roleGR.get(current.role)) {
        // Check if the role is restricted
        if (restrictedRoles.indexOf(roleGR.name) !== -1) {
            // Check if the user assigning the role has security_admin
            if (!gs.hasRole('security_admin')) {
                gs.addErrorMessage('You are not allowed to modify the restricted role: ' + roleGR.name);
                answer = false;
                return;
            }
        }
    }
    
    // Check if user is allowed to grant the role using RoleManagementAPI
    if (!rmAPI.isAllowedToGrantRole(current.role)) {
        answer = false;
        return;
    }
    
    answer = true; // Allow if all checks pass
})();

 

 

 


ɪꜰ į“Ź į“€É“źœ±į“”į“‡Ź€ Źœį“€źœ± Źœį“‡ŹŸį“˜į“‡į“… į“”ÉŖį“›Źœ Źį“į“œŹ€ Qį“œį“‡źœ±į“›ÉŖį“É“, į“˜ŹŸį“‡į“€źœ±į“‡ į“į“€Ź€į“‹ į“Ź į“€É“źœ±į“”į“‡Ź€ į“€źœ± į“›Źœį“‡ į“€į“„į“„į“‡į“˜į“›į“‡į“… źœ±į“ŹŸį“œį“›ÉŖį“É“ ᓀɓᓅ ɢɪᓠᓇ į“€ į“›Źœį“œį“Ź™źœ± ᓜᓘ.




Ź™į“‡źœ±į“› Ź€į“‡É¢į“€Ź€į“…źœ±


źœ±Ź€į“‡į“‡Ź€į“€į“

Below are the changes made:

 

  • Fixed Role Name Retrieval: The roleName variable was undefined. I replaced it with roleGR.name for better clarity.
  • Validation of Role Record: Added a check to ensure the role record (current.role) exists before performing further checks.
  • Restrict Role Assignment:
    • Only restrict roles listed in de_privileged_roles.
    • Ensure the restriction applies only to users without the security_admin role.
  • RoleManagementAPI Integration:
    • The isAllowedToGrantRole check ensures system-level restrictions are enforced in addition to your custom restrictions.
  • Error Messaging: Clearer error messaging when a non-security_admin user tries to assign a restricted role.

 


ɪꜰ į“Ź į“€É“źœ±į“”į“‡Ź€ Źœį“€źœ± Źœį“‡ŹŸį“˜į“‡į“… į“”ÉŖį“›Źœ Źį“į“œŹ€ Qį“œį“‡źœ±į“›ÉŖį“É“, į“˜ŹŸį“‡į“€źœ±į“‡ į“į“€Ź€į“‹ į“Ź į“€É“źœ±į“”į“‡Ź€ į“€źœ± į“›Źœį“‡ į“€į“„į“„į“‡į“˜į“›į“‡į“… źœ±į“ŹŸį“œį“›ÉŖį“É“ ᓀɓᓅ ɢɪᓠᓇ į“€ į“›Źœį“œį“Ź™źœ± ᓜᓘ.




Ź™į“‡źœ±į“› Ź€į“‡É¢į“€Ź€į“…źœ±


źœ±Ź€į“‡į“‡Ź€į“€į“

Hi @sreeram_nair ,

 

I am trying to achieve this in ACL hence updated create ACL on sys_user_has_role table. I update your script accordingly removed function and return but its not working.

Ankur Bawiskar
Tera Patron
Tera Patron

@SM24 

why not handle this using before insert BR?

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader