Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

canRead() is returning an erroneous value

snoozer
Mega Guru

‎09-19-2024 12:47 PM

I'm trying to check read permissions of a user on a field in the Incident table. The code I'm using is:

gs.getSession().impersonate(userSysID);
var value = recordGR.getElement('business_service').canRead();   // recordGR is a GlideRecord on the Incident table

 I am expecting 'value' to be false, as this user does not have the ability to read the business_service field. However, the code is returning true.

 

However, I added the field to the Incident form, and when I impersonate the user and go to the form, I can not see the field! Why do I get a conflicting value when I execute the code?

0 Helpfuls
  • 1,110 Views
7 REPLIES 7

Rajesh Chopade1
Mega Sage
In response to snoozer

‎09-20-2024 07:40 AM

hi @snoozer 

could you try below script once and let me know:

gs.getSession().impersonate('0016f4f8d474de90206f3637ed37d5aa');
var recordGR = new GlideRecord('incident');
if (recordGR.get('bee42676b9df4a14c29839f22ecb7e94')) {
    var fieldElement = recordGR.getElement('business_service');

    // Check if the user can read the field
    var canReadField = fieldElement.canRead();
    gs.info('Can read field: ' + canReadField);
    
    // Check if the field value is null
    var isValueNil = recordGR.getValue('business_service') === '';
    gs.info('Field value is nil: ' + isValueNil);
}
0 Helpfuls

Bert_c1
Kilo Patron

‎09-20-2024 07:30 AM

@snoozer 

 

In my instance, the following script logic:

 

// Abel tuter: 62826bf03710200044e0bfc8bcbe5df1
// Beth anglin: 46d44a23a9fe19810012d100cca80666
// admin: 6816f79cc0a8016401c5a33be04be441
gs.getSession().impersonate('62826bf03710200044e0bfc8bcbe5df1');
var recordGR = new GlideRecord('incident');
recordGR.get('57af7aec73d423002728660c4cf6a71c');	// INC0009009
var value = recordGR.getElement('business_service').canRead();
gs.info(value);
// go back to admin
gs.getSession().impersonate('6816f79cc0a8016401c5a33be04be441');

// now try Beth
gs.getSession().impersonate('46d44a23a9fe19810012d100cca80666');
var recordGR = new GlideRecord('incident');
recordGR.get('57af7aec73d423002728660c4cf6a71c');	// INC0009009
var value = recordGR.getElement('business_service').canRead();
gs.info(value);
// go back to admin
gs.getSession().impersonate('6816f79cc0a8016401c5a33be04be441');

results in:

Impersonation start: Abel Tuter (abel.tuter) by: System Administrator (admin)
*** Script: false
Impersonation end: Abel Tuter (abel.tuter)
Impersonation start: Beth Anglin (beth.anglin) by: System Administrator (admin)
*** Script: true
Impersonation end: Beth Anglin (beth.anglin)

which is what I expect.

0 Helpfuls

Bert_c1
Kilo Patron

‎09-20-2024 10:15 AM

Enable Security Debug, impersonate the user, and access an incident to see which ACLs are failing. Also check by accessing a record in the 'cmdb_ci_service' table. There are read ACLs defined om the parent table cmdb_ci that stop Abel Tuter from seeing records in either table.

0 Helpfuls