- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2014 07:42 PM
I Created a table with a reference field to the sys_user table. when I'm in the form and click on that field's magnifying glass I can see all the users if I'm logged in as an admin but when I impersonate a normal user I can't see any records.
I Searched for and read about ACLs but I don't see one on the sys_user table that would prevent users from seeing those records.
I Would appreciate someone pointing me in the right direction.
Thanks,
Rick Forristall
Programmer Analyst
Goodwill of Central Arizona
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2014 07:49 PM
Hello Rick,
This is because as an Admin you have read access on the Records in the sys_user table and thus able to see the records but End Users do not have Read access to the Table and thus are not able to see the records.
You will have to provide a Read access to all your Users on the User table at the record level to make this possible.
Create an ACL with the following:-
Operation IS Read
Table is User(sys_user) and corresponding Dropdown field on the side will be empty (Ensuring Table Level access).
Thanks,
Subhajit
Please mark my answer as Correct if this really helped solve your issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2014 07:49 PM
Hello Rick,
This is because as an Admin you have read access on the Records in the sys_user table and thus able to see the records but End Users do not have Read access to the Table and thus are not able to see the records.
You will have to provide a Read access to all your Users on the User table at the record level to make this possible.
Create an ACL with the following:-
Operation IS Read
Table is User(sys_user) and corresponding Dropdown field on the side will be empty (Ensuring Table Level access).
Thanks,
Subhajit
Please mark my answer as Correct if this really helped solve your issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2014 06:01 AM
Subhajit,
Thank you for your quick reply. I checked and there is already an ACL for the User[sys_user] table with the following fields:
Type: record
Operation: read
Name: User [sys_user] :: -- None --
Active [x]
Admin overrides [x]
Condition: nothing selected
Script: empty
Requires role: user
Yet when I impersonate a sys_user and click the magnifying glass to see a list of users a new window opens/overlays with this text warning: "Number of rows removed from this list by Security constraints: 20"
In that window the URL is this:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2014 06:35 AM
Subhajit Das and Slava I believe I found the problem in a separate ACL that has a description of:
"Users can read their own user records and users with a role can read other user records"
And has this script:
if (gs.getUserID() == current.sys_id || gs.getUser().hasRoles())
answer = true;
else
answer = false;
When I change the "else" answer to "answer=true" the impersonated user can see all the users.
I'll start here to figure out a solution - probably try to add a caveat to allow viewing all users if the user is currently in the new form/application.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2014 08:46 AM
Subhajit Das and Slava I think I fixed it. I updated the ACL that was restricting access to the users if the logged-in user did not have any roles. I didn't add roles to those who needed access because we pull our user data from our active directory accounts so the user data is constantly changing. What I needed was to allow anyone who was a manager to access the users. So here's how I rewrote the script in the ACL. Thank you for your help!
if (gs.getUserID() == current.sys_id || gs.getUser().hasRoles()) {
answer = true;
} else {
// if the logged-in user is a manager - let them see all user records for the job requisition form's "Who will be replaced?" field
var my_title = gs.getUser().getRecord().getValue('title');
// cheat sheet for GlideSystem User Object -- where I got the information on how to get the title in the above line of code
// http://www.servicenowguru.com/scripting/user-object-cheat-sheet/
var is_mgr = my_title.toLowerCase().indexOf('manager');
if (is_mgr >= 0) {
answer = true;
} else {
answer = false;
}
}
