Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Assistance Needed with Restricting Role Assignment to security_admin

Go to solution
SM24
Giga Guru

‎01-21-2025 11:11 AM - edited ‎01-22-2025 05:50 AM

Hi Team,

I have a requirement to restrict certain roles so that only users with the security_admin role can assign them. Other users attempting to assign these roles should receive an error message.

To achieve this, I created a system property named de_priviliged_roles and added the roles admin, itil_admin and catalog_admin to it. I then updated the create ACL on the sys_user_has_role table with the following script:

 

var rmAPI = new SNC.RoleManagementAPI();
var restrictedRoles = gs.getProperty('de_privileged_roles', '').split(',');
var roleGR = new GlideRecord('sys_user_role');
roleGR.get(current.role);
if (!rmAPI.isAllowedToGrantRole(current.role)) {
    answer = false;
} else {
    if (restrictedRoles.indexOf(roleGR.name) !== -1) {
        if (!gs.hasRole('security_admin')) {
            gs.addErrorMessage('You are not allowed to modify the restricted role: ' + roleName);
            answer = false;
        } else {
            answer = true;
        }
    } else {
        answer = true;
    }
}

 

This script is not working as intended. Non-security_admin users are still able to assign roles listed in de_privilaged_role .

 

Could you please review the script and advise on resolving this issue? @Ankur Bawiskar 

Thank in advance!

 

Best regards,

SM

0 Helpfuls
  • 1,670 Views
1 ACCEPTED SOLUTION

Go to solution
SM24
Giga Guru

‎01-22-2025 11:55 AM

I was able to make it work by updating the script as below 

var rmAPI = new SNC.RoleManagementAPI();
var restrictedRoles = gs.getProperty('de_privileged_roles', '').split(',');
var isRole = 0;
var roleGR = new GlideRecord('sys_user_role');
roleGR.get(current.role);
if (!rmAPI.isAllowedToGrantRole(current.role)) {
    answer = false;
} else {
    for (var i in restrictedRoles) {
        if (restrictedRoles[i] == roleGR.name) {
            isRole = 1;
            break;
        }
    }
    if (isRole == 1) {
        if (!gs.hasRole('security_admin')) {
            gs.addErrorMessage('You are not allowed to modify the restricted role: ' + roleGR.name);
            answer = false;
        } else {
            answer = true;
        }
    } else {

        answer = true;
    }
}

View solution in original post

0 Helpfuls
6 REPLIES 6

Go to solution
SM24
Giga Guru
In response to Ankur Bawiskar

‎01-22-2025 06:12 AM

Hi Ankur, Due to security constraints we opted for ACL . BR is editable to admin users hence we are using ACL.

0 Helpfuls

Go to solution
SM24
Giga Guru

‎01-22-2025 11:55 AM

I was able to make it work by updating the script as below 

var rmAPI = new SNC.RoleManagementAPI();
var restrictedRoles = gs.getProperty('de_privileged_roles', '').split(',');
var isRole = 0;
var roleGR = new GlideRecord('sys_user_role');
roleGR.get(current.role);
if (!rmAPI.isAllowedToGrantRole(current.role)) {
    answer = false;
} else {
    for (var i in restrictedRoles) {
        if (restrictedRoles[i] == roleGR.name) {
            isRole = 1;
            break;
        }
    }
    if (isRole == 1) {
        if (!gs.hasRole('security_admin')) {
            gs.addErrorMessage('You are not allowed to modify the restricted role: ' + roleGR.name);
            answer = false;
        } else {
            answer = true;
        }
    } else {

        answer = true;
    }
}
0 Helpfuls