Block Non-ITIL access to UI page- Fails after login (New Tab Issue)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Dear ServiceNow Community,
Non-ITIL/end users can access a specific UI page after logging in and opening it in a new tab, despite script includes checking roles on server/client sides. It works correctly during initial login but fails post-login.
Current Setup & Issue:
Script Include: Checks gs.hasRole('itil') on server; returns false for non-ITIL.
Client Script: Uses g_user.hasRole('itil') to hide elements/redirect.
Problem: Blocks fine on initial login, but logged-in non-ITIL users bypass via new tab/navigation.
Questions:
How to enforce ITIL-only access across sessions/tabs in Zurich?
ACL on sys_ui_page record? UI Condition? Session-based User Criteria?
Client script fix for g_user context in new tabs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
A ui_page ACL is the correct way to manage UI page access. From a UX perspective, I understand why a redirect may sometimes be appropriate, but the client browser can block the redirection.
hasRole returns true for any role if the user has admin (there may be other nuances, but I can't think of any). For strict role checks, use something like GlideUser.getRoles().indexOf('role') !== -1
You'll need to show your code if you want us to figure out exactly what's happening.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
If Acls works perfect even access denied page works for me.
Can you please share me the procedure to restrict access to nav page for non-itil users.
Initial login works fine they are redirecting to sp page even though they login with nav page URL.
But then after they open new tab and paste the nav page URL its accessible for them but it should be restricted.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
If by "nav page" you mean the non-SP fulfiller view, then you can set up redirection as linked below. My last company also used a UI script to catch any fringe-case scenarios, but global UI scripts are high-impact and should not be considered a security measure.
https://www.servicenow.com/community/servicenow-ai-platform-blog/6-ways-to-set-up-your-service-porta...
