- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā01-21-2025 11:11 AM - edited ā01-22-2025 05:50 AM
Hi Team,
I have a requirement to restrict certain roles so that only users with the security_admin role can assign them. Other users attempting to assign these roles should receive an error message.
To achieve this, I created a system property named de_priviliged_roles and added the roles admin, itil_admin and catalog_admin to it. I then updated the create ACL on the sys_user_has_role table with the following script:
var rmAPI = new SNC.RoleManagementAPI();
var restrictedRoles = gs.getProperty('de_privileged_roles', '').split(',');
var roleGR = new GlideRecord('sys_user_role');
roleGR.get(current.role);
if (!rmAPI.isAllowedToGrantRole(current.role)) {
answer = false;
} else {
if (restrictedRoles.indexOf(roleGR.name) !== -1) {
if (!gs.hasRole('security_admin')) {
gs.addErrorMessage('You are not allowed to modify the restricted role: ' + roleName);
answer = false;
} else {
answer = true;
}
} else {
answer = true;
}
}
This script is not working as intended. Non-security_admin users are still able to assign roles listed in de_privilaged_role .
Could you please review the script and advise on resolving this issue? @Ankur Bawiskar
Thank in advance!
Best regards,
SM
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā01-22-2025 11:55 AM
I was able to make it work by updating the script as below
var rmAPI = new SNC.RoleManagementAPI();
var restrictedRoles = gs.getProperty('de_privileged_roles', '').split(',');
var isRole = 0;
var roleGR = new GlideRecord('sys_user_role');
roleGR.get(current.role);
if (!rmAPI.isAllowedToGrantRole(current.role)) {
answer = false;
} else {
for (var i in restrictedRoles) {
if (restrictedRoles[i] == roleGR.name) {
isRole = 1;
break;
}
}
if (isRole == 1) {
if (!gs.hasRole('security_admin')) {
gs.addErrorMessage('You are not allowed to modify the restricted role: ' + roleGR.name);
answer = false;
} else {
answer = true;
}
} else {
answer = true;
}
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā01-22-2025 06:12 AM
Hi Ankur, Due to security constraints we opted for ACL . BR is editable to admin users hence we are using ACL.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā01-22-2025 11:55 AM
I was able to make it work by updating the script as below
var rmAPI = new SNC.RoleManagementAPI();
var restrictedRoles = gs.getProperty('de_privileged_roles', '').split(',');
var isRole = 0;
var roleGR = new GlideRecord('sys_user_role');
roleGR.get(current.role);
if (!rmAPI.isAllowedToGrantRole(current.role)) {
answer = false;
} else {
for (var i in restrictedRoles) {
if (restrictedRoles[i] == roleGR.name) {
isRole = 1;
break;
}
}
if (isRole == 1) {
if (!gs.hasRole('security_admin')) {
gs.addErrorMessage('You are not allowed to modify the restricted role: ' + roleGR.name);
answer = false;
} else {
answer = true;
}
} else {
answer = true;
}
}