Assistance Needed with Restricting Role Assignment to security_admin

Go to solution
SM24
Giga Guru

ā€Ž01-21-2025 11:11 AM - edited ā€Ž01-22-2025 05:50 AM

Hi Team,

I have a requirement to restrict certain roles so that only users with the security_admin role can assign them. Other users attempting to assign these roles should receive an error message.

To achieve this, I created a system property named de_priviliged_roles and added the roles admin, itil_admin and catalog_admin to it. I then updated the create ACL on the sys_user_has_role table with the following script:

 

var rmAPI = new SNC.RoleManagementAPI();
var restrictedRoles = gs.getProperty('de_privileged_roles', '').split(',');
var roleGR = new GlideRecord('sys_user_role');
roleGR.get(current.role);
if (!rmAPI.isAllowedToGrantRole(current.role)) {
    answer = false;
} else {
    if (restrictedRoles.indexOf(roleGR.name) !== -1) {
        if (!gs.hasRole('security_admin')) {
            gs.addErrorMessage('You are not allowed to modify the restricted role: ' + roleName);
            answer = false;
        } else {
            answer = true;
        }
    } else {
        answer = true;
    }
}

 

This script is not working as intended. Non-security_admin users are still able to assign roles listed in de_privilaged_role .

 

Could you please review the script and advise on resolving this issue? @Ankur Bawiskar 

Thank in advance!

 

Best regards,

SM

0 Helpfuls
  • 1,112 Views
1 ACCEPTED SOLUTION

Go to solution
SM24
Giga Guru

ā€Ž01-22-2025 11:55 AM

I was able to make it work by updating the script as below 

var rmAPI = new SNC.RoleManagementAPI();
var restrictedRoles = gs.getProperty('de_privileged_roles', '').split(',');
var isRole = 0;
var roleGR = new GlideRecord('sys_user_role');
roleGR.get(current.role);
if (!rmAPI.isAllowedToGrantRole(current.role)) {
    answer = false;
} else {
    for (var i in restrictedRoles) {
        if (restrictedRoles[i] == roleGR.name) {
            isRole = 1;
            break;
        }
    }
    if (isRole == 1) {
        if (!gs.hasRole('security_admin')) {
            gs.addErrorMessage('You are not allowed to modify the restricted role: ' + roleGR.name);
            answer = false;
        } else {
            answer = true;
        }
    } else {

        answer = true;
    }
}

View solution in original post

0 Helpfuls
6 REPLIES 6

Go to solution
SM24
Giga Guru
In response to Ankur Bawiskar

ā€Ž01-22-2025 06:12 AM

Hi Ankur, Due to security constraints we opted for ACL . BR is editable to admin users hence we are using ACL.

0 Helpfuls

Go to solution
SM24
Giga Guru

ā€Ž01-22-2025 11:55 AM

I was able to make it work by updating the script as below 

var rmAPI = new SNC.RoleManagementAPI();
var restrictedRoles = gs.getProperty('de_privileged_roles', '').split(',');
var isRole = 0;
var roleGR = new GlideRecord('sys_user_role');
roleGR.get(current.role);
if (!rmAPI.isAllowedToGrantRole(current.role)) {
    answer = false;
} else {
    for (var i in restrictedRoles) {
        if (restrictedRoles[i] == roleGR.name) {
            isRole = 1;
            break;
        }
    }
    if (isRole == 1) {
        if (!gs.hasRole('security_admin')) {
            gs.addErrorMessage('You are not allowed to modify the restricted role: ' + roleGR.name);
            answer = false;
        } else {
            answer = true;
        }
    } else {

        answer = true;
    }
}
0 Helpfuls