- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2017 02:29 PM
If I have a business rule that is triggered by an end-user with no roles, can the rule update records that the user doesn't have access to? If not, can the rule call a script include that can see those records, or does the script include have the same restrictions? Or, can I change the user that the business rule is running as?
I have a complex (to me) situation that I'm having trouble resolving...
Thanks!
Karla
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2017 09:51 AM
None that I'm aware of. Again, this is treading on licensing implications. You may want to reach out to your account rep to double check your requirement doesn't get you in a potentially expensive situation. Make sure the person/parties making this requirement understand the risks/costs.
If that doesn't work out for you, then have a backup plan - email notifications.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2017 02:33 PM
Hello Karla,
Yes, the script will work unless you use GlideRecordSecure to update those records. GlideRecordSecure will enforce ACL's.
GlideRecordSecure is a class inherited from GlideRecord that performs the same functions as GlideRecord, and also enforces ACLs. Like GlideRecord, GlideRecordSecure is an object that contains zero or more records from one table. Another way to say this is that GlideRecordSecure is an ordered list that is used for database operations instead of writing SQL queries. GlideRecordSecure:
http://wiki.servicenow.com/index.php?title=GlideRecordSecure#gsc.tab=0
P.S: Any client callable script include might be restricted if there are any custom ACL's created against it with specified roles. So please check for the same once.
Please let me know if you have any questions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2017 02:36 PM
Hi Karla,
Any script that uses a GlideRecord operation has access to all the records - in effect, ACLs are bypassed. It doesn't matter if this is triggered from a business rule or script include called from a BR. If you wish to enforce security as the currently logged in user, we offer GlideRecordSecure which has the same methods and enforces security.
I should also point out that this does not take in to account scoped apps runtime protection. Regardless of what GlideRecord can do, it cannot get past the application's table access. This is one very strong advantage of scope apps - you can protect your app data from another app. This is not possible with global apps.
GlideRecordSecure - ServiceNow Wiki
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2017 02:37 PM
Any user can trigger business rules on a table if they have access to that table. Additionally, the business rules triggered could call script includes that go and update other tables. Tables that the user doesn't necessarily have access to.
Can you further explain your situation as this might shed more light on the answer.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2017 03:17 PM
I'm trying to update an incident that is related to the customer incident as it's parent, but the parent is associated to another company. But when I try to get the parent incident in the script, so that I can use a GlideRecord query to update it, the variable gets no value. I confirmed that the user has read access to the parent_incident field but I think the issue is because the field is referencing an incident that they can't read.....?
