check loggedin user role in ACL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2023 01:06 AM
I created custom role 'X' when user with 'X' role logged in he needs to have write access to incidents that are opened by user with 'X' role.
For all other incidents created by different role, those records should be read-only..
Please help me to achieve this.?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2023 10:58 PM
At the top the name field specifies what the ACL affects.
In your case Incident - None - means that you're giving read access to the incident table, but not to any of the fields.
You'll also have to create an ACL where the - None - is changed to an asterisk (*). That means that you're giving read access to all the fields in incident table as long as there are no field specific ACL's (incident.state for example).
Also make sure that the ACL is set as read type to give read access. If read access works and you need a write access you can create another write ACL with the same logic.
Next empty your script (when you've added the * ACL) and try if the user gains read access with the Local_IT role.
If it works you can then try my script and see if you can use the Local_IT to gain access to certain incidents.
var answer = false;
if(gs.hasRole('Local_IT')){
var roles = gs.getUser().getUserByID(current.opened_by).getRoles().toString().split(",");
for(var i in roles){
if(roles[i] == 'Local_IT'){
answer = true;
}
}
}Now if the current.opened_by has the role "Local_IT" and so does your user then they'd gain read access.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-04-2023 11:18 PM - edited 04-04-2023 11:21 PM
Thanks for ur continuous help..!!
Firstly i created role- Local_IT and i have added containes role "sn_incident_read"
and then i created write ACL on incident-none with script
var answer = false;
if(gs.hasRole('Local_IT')){
var roles = gs.getUser().getUserByID('current.opened_by').getRoles().toString().split(",");
for(var i in roles){
if(roles[i] == 'Local_IT'){
answer = true;
}
}
}
I have also created write incident* ACL with same script.
What i want to achieve is..
if any incident caller role has localit then those incidents should be editable...
rest all incidents should be readonly (all incidents caller role is not localit)..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2023 02:45 AM
Hmm, well, sn_incident_read should already give only the read access, so you should be good to go on that part.
If you want to check for caller, then in the var roles part you need to change current.opened_by to current.caller_id. Also make sure it doesn't have any quotes around it:
//Correct:
var roles = gs.getUser().getUserByID(current.caller_id).getRoles().toString().split(",");
//Wrong:
var roles = gs.getUser().getUserByID("current.caller_id").getRoles().toString().split(",");
So if you have a write ACL incident.* then the script should work.
Let's run through it once more:
//By default answer is false -> No write access
var answer = false;
//Check if currently logged in user has the role "Local_IT"
if(gs.hasRole('Local_IT')){
//If they have it, we then check all the roles that the caller has
//The getRoles returns a comma separated list of roles and we turn it into an array with split.
var roles = gs.getUser().getUserByID(current.caller_id).getRoles().toString().split(",");
for(var i in roles){ //Loop through the roles.
if(roles[i] == 'Local_IT'){ //if the caller also has Local_IT then answer is true
answer = true;
}
}
}
You can start by checking your Local_IT user's access first. Do they see the incident you're interested in? If they do, then add the incident.* write ACL with above script and then log in again with the Local_IT user and see if you can now modify the incident, but not others that have a caller who doesn't have the Local_IT role.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2023 02:50 AM
whats happening is when i impersonte user who has localit role, all incidents are read-only..which should not be the case.
i wrote same ACL..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2023 11:24 PM
Hmm, At this point it should be working.
At the bottom of the script try adding gs.info("ACL log answer: " + answer);
Then go to the RITM with your LOCAL_IT user.
After that go to your admin user and go to logs and search for Message starts with "ACL log answer:"
The log can be found under System Logs -> System Log -> All
You should be able to see what answer you were getting when at the record which should be editable.
Better yet if you also add an if so you get only a few logs:
if(current.sys_id == 'sys_id_of_one_ritm'){
gs.info("ACL log answer: " + answer);
}If you change sys_id_of_one_ritm to the sys_id of a ritm that should be editable for your Local_IT user, then you'll only get one or two logs for that and can easily see if the value for it is false or true.
If you don't add that then you'll probably end up with logs for all the ritms that are shown on a list for example if you refresh a list.
