Before Query Business rule - Need help with Script portion please
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-13-2024 09:32 AM
I have a before Query business rule that I'm using to hide records from everyone unless they have a certain role of sec_research. For security reasons we only want people with this role to see certain record items.
I have the following script:
(function executeRule(current, previous /*null when async*/) {
// Add your code here
if(!gs.getUser().hasRole('sec_research')){
current.addEncodedQuery('short_description!=Email Request Access');
}
})(current, previous);Currently if they are in the sec_research group they can see the records. That works. However when I look at someone with admin they also see the records. How can I make this so it will not allow Admin's to see those records as well.
If someone could please lend some assistance that would be great.
Requirements on the Business rule as are follows:
1. create a business rule on the sc_task table
2. Set advanced on
3. Select Query and When to Before
4. Go to action tab to set script
I'm not sure I need anything in the condition or not?
Thanks in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-13-2024 09:38 AM
The hasRole method will always return true for admins, even if they don't specifically have that role. Try hasRoleExactly, or adding to the if condition || gs.getUser.hasRole('admin'). An alternative approach is to use a Read ACL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-13-2024 10:16 AM
Brad, do you know how to do one of the ACLs for Read. We have tried this approach on the sc_task table with no such luck. We are not on Xanadu so don't have the deny ability on decision type for ACLs. We are on Washington DC so it's just a straight ACL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-13-2024 10:24 AM
This is an allow model, so you would uncheck the Admin overrides box, the Name is sc_task -- None --, add the Role to the Requires role section, and the Data Condition Short description is Email Request Access.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-13-2024 09:51 AM
Hi @Community Alums ,
Yes, this is expected as he is Admin. It is like hasRole() and hasRoleExactly() difference from the client script.
Since, there is no Server - Side way of using hasRoleExactly(), you can use make a custom check on it with the following script.
(function executeRule(current, previous /*null when async*/) {
// Add your code here
var arrayUtil = new ArrayUtil();
var userRoles = gs.getSession().getRoles() + ''; // get the roles assigned to the user
var roleArray = userRoles.split(",");
var isRolePresent = arrayUtil.contains(roleArray, 'sec_research');
if(isRolePresent){
current.addEncodedQuery('short_description!=Email Request Access');
}
})(current, previous);
Credits: https://www.servicenow.com/community/itsm-forum/server-equivalent-of-hasroleexactly/td-p/424409
If the above information helps you, Kindly mark it as Helpful and Accept the solution.
Regards,
Najmuddin.
