Configuration records - how to set visibility

pironbi · ‎07-14-2015

Hi All -

I am trying to create a business rule that will effectively only allow records to be visible with certain criteria to certain groups.
I am not able to find how to do this at the record level and was hoping someone might have an idea.
I can find how to hide lists, etc... but filtering the records is giving me trouble.

Appreciate any help anyone can provide!

Thanks

Bill

bernyalvarado · ‎07-27-2015

Hi Bill, indeed it makes sense. The only changes you need to do then are:

Change the prior ACL you created so that its name instead of...

Server [cmdb_ci_server] it then becomes Server [cmdb_ci_server].install_status

By doing this change you will then ONLY apply the ACL to the field install_status of the cmdb_ci_server table.

As for the onBefore onQuery business rule, please make it inactive or delete it since we would not longer need it since that one will restrict all the record.

Thanks,

Berny

View solution in original post

bernyalvarado · ‎07-15-2015

Yeap. Sometimes you may want a combination of both. ACLs + a onBefore Query Business Rule. The reason is because while the ACLs could prevent reading the records the user will still something like You cannot see X number of records due to security constraints. This is specially inconvenient in list with a long list of records like the properties one since the first Y number of records could be the ones that a user is restricted and the user may see on the first page list of records 0 records and not notice there might be a long list of pages on the ones may be residing records the user can actually read. That's why, from a user experience perspective, sometimes it makes sense to implement both .

I hope this is helpful!

Thanks,

Berny

pironbi · ‎07-22-2015

Hi Berny,

I sincerely appreciate your detailed response. Still struggling with this one. The ACL is too restrictive, and I can't get the business rule just right…

What I am really looking to do is hide all cmdb_ci_server records that contain a status of hidden to everyone except certain roles.

When I do so with the ACL, it either hides just the status table or it hides everything unless you're included in the allowed to read role in the ACL.

Any thoughts?

Appreciate any advice you can give!

Thanks

Kind regards,

Bill

--

William A. Pirone | Automation, Efficiency & Quality Control | Global Infrastructure Services | IT Services

Ernst & Young LLP

Office: +1 201 872 0219 | Bill.Pirone@ey.com<mailto:Bill.Pirone@ey.com>

Thank you for considering the environmental impact of printing this email.

bernyalvarado · ‎07-22-2015

Hi Bill, its possible to accomplish what you're looking for through an ACL that's not too restrictive. Lets do the ACL first and then I would also help you to do the onBefore Business Rule.

For the ACL you will have to do the following:

Create an ACL with the following properties:

Type: Record

Operation: Read

Name: Server [cmdb_ci_server]

Active: is checked

Advanced: is checked

In the script field, add something like the following. Please note it requires some changes depending on your scenario. I mention those changes below the code snippet.

if (current.install_status != '100' || gs.hasRoleExactly('role_name')){


   answer = true;


}else{


   answer = false;


}

The changes that you need to do to the above code are the following:

a) Validate if the status field that you want to use is install_status. I mentioning that because there's another status field called hardware_status.

b) Instead of 100 you need to include the value of your hidden status. You can lookup the value of "hidden" by right clicking into the status field on the form and selecting Show Choice List.

c) replace the role_name to the name of the role that should have visibility to the CI even if the status is hidden. You can include other roles by adding:

|| gs.hasRoleExactly('the_other_role_name') at the end of the condition in line 1. For instance...

if (current.install_status != '100' || gs.hasRoleExactly('role_name') || gs.hasRoleExactly('the_other_role_name')){

This should work to accomplish what you're looking for! . Please don't hesitate to ask if you have any further questions.

Thanks,

Berny

bernyalvarado · ‎07-22-2015

As for the OnBefore Query Business Rule it should be something like this:

Table: Server [cmdb_ci_server]

Active: is checked

Advanced: is checked

When: before

Query: is checked

In the script field you write something like the following:

if (!gs.hasRole("role_name") && gs.isInteractive()) {


   var u = gs.getUserID();


   var qc = current.addEncodedQuery("install_status!=100");


   gs.print("query restricted to user: " + u);


}

Please note that you will have to do the same changes to this script as the one for the ACL:

a) change the Role name and add other && !gs.hasRole conditions if needed

b) make sure install_status is the right field

c) change the value 100 to the value of your hidden status value.

Thanks,

Berny

pironbi · ‎07-23-2015

Berny,

You are great! Thank you.. I am testing these out now and will keep you posted!

I sincerely appreciate the help!!

Kind regards,

Bill

--

William A. Pirone | Automation, Efficiency & Quality Control | Global Infrastructure Services | IT Services

Ernst & Young LLP

Office: +1 201 872 0219 | Bill.Pirone@ey.com<mailto:Bill.Pirone@ey.com>

Thank you for considering the environmental impact of printing this email.