canRead() is returning an erroneous value
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2024 12:47 PM
I'm trying to check read permissions of a user on a field in the Incident table. The code I'm using is:
gs.getSession().impersonate(userSysID);
var value = recordGR.getElement('business_service').canRead(); // recordGR is a GlideRecord on the Incident tableI am expecting 'value' to be false, as this user does not have the ability to read the business_service field. However, the code is returning true.
However, I added the field to the Incident form, and when I impersonate the user and go to the form, I can not see the field! Why do I get a conflicting value when I execute the code?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2024 07:40 AM
hi @snoozer
could you try below script once and let me know:
gs.getSession().impersonate('0016f4f8d474de90206f3637ed37d5aa');
var recordGR = new GlideRecord('incident');
if (recordGR.get('bee42676b9df4a14c29839f22ecb7e94')) {
var fieldElement = recordGR.getElement('business_service');
// Check if the user can read the field
var canReadField = fieldElement.canRead();
gs.info('Can read field: ' + canReadField);
// Check if the field value is null
var isValueNil = recordGR.getValue('business_service') === '';
gs.info('Field value is nil: ' + isValueNil);
}- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2024 07:30 AM
In my instance, the following script logic:
// Abel tuter: 62826bf03710200044e0bfc8bcbe5df1
// Beth anglin: 46d44a23a9fe19810012d100cca80666
// admin: 6816f79cc0a8016401c5a33be04be441
gs.getSession().impersonate('62826bf03710200044e0bfc8bcbe5df1');
var recordGR = new GlideRecord('incident');
recordGR.get('57af7aec73d423002728660c4cf6a71c'); // INC0009009
var value = recordGR.getElement('business_service').canRead();
gs.info(value);
// go back to admin
gs.getSession().impersonate('6816f79cc0a8016401c5a33be04be441');
// now try Beth
gs.getSession().impersonate('46d44a23a9fe19810012d100cca80666');
var recordGR = new GlideRecord('incident');
recordGR.get('57af7aec73d423002728660c4cf6a71c'); // INC0009009
var value = recordGR.getElement('business_service').canRead();
gs.info(value);
// go back to admin
gs.getSession().impersonate('6816f79cc0a8016401c5a33be04be441');results in:
Impersonation start: Abel Tuter (abel.tuter) by: System Administrator (admin)
*** Script: false
Impersonation end: Abel Tuter (abel.tuter)
Impersonation start: Beth Anglin (beth.anglin) by: System Administrator (admin)
*** Script: true
Impersonation end: Beth Anglin (beth.anglin)which is what I expect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2024 10:15 AM
Enable Security Debug, impersonate the user, and access an incident to see which ACLs are failing. Also check by accessing a record in the 'cmdb_ci_service' table. There are read ACLs defined om the parent table cmdb_ci that stop Abel Tuter from seeing records in either table.
