- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2016 03:27 PM
Hi,
I want to copy the OOB ITIL role and make some modifications ( remove and add )to the permissions for the new role. Is there an easy method to do this?
If I inherit the ITIL role, can this modification be done?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2016 02:08 AM
var referenceRole = 'itil' // reference role for cloning
var newRole = 'itil_dummy'; // new role to be cloned from reference role
var newRoleObj = new GlideRecord('sys_user_role'); // create a new role
newRoleObj.initialize();
newRoleObj.name = newRole;
var newRoleSysID = newRoleObj.insert();
var aclAndRole = new GlideRecord('sys_security_acl_role'); // find all the ACLs for reference role
aclAndRole.addQuery('sys_user_role.name',referenceRole);
aclAndRole.addQuery('sys_security_acl.active',true);
aclAndRole.query();
while(aclAndRole.next()){
gs.print(aclAndRole.sys_security_acl.name);
gs.print(aclAndRole.sys_security_acl.advanced);
gs.print(aclAndRole.sys_security_acl.script);
gs.print(aclAndRole.sys_security_acl.condition);
var newACLs = new GlideRecord('sys_security_acl');
newACLs.initialize(); // create new ACLs for new Role
newACLs.name = aclAndRole.sys_security_acl.name;
newACLs.advanced = aclAndRole.sys_security_acl.advanced;
newACLs.condition = aclAndRole.sys_security_acl.condition;
newACLs.script = aclAndRole.sys_security_acl.script;
var newACLSysID = newACLs.insert();
var newACLAndRole = new GlideRecord('sys_security_acl_role');
newACLAndRole.initialize(); // build a relation between new ACL and new Role so that new Role appears in related section for ACL
newACLAndRole.sys_security_acl = newACLSysID;
newACLAndRole.sys_user_role = newRoleSysID;
newACLAndRole.insert();
}
Hi Mary,
As I said, I was trying this out in past and I left it in the middle due to some change in the requirement. However, I have modified the code which you can see above.
The design considerations are
1) Create a new role entry in sys_user_role table for dummy role , lets say "itil_dummy"
2) Find the "Associated ACLs" for existing role using sys_security_acl_role using "Reference" role lets say "itil".
3) Now, have new ACLs created for "itil_dummy" role using step 2. These ACLs will have same "Condition", "Script" fields as per the result got in step 2.
4) Create relation between new role and these new ACLs using m2m table "sys_security_acl_role".
Remember, you will have to test it thoroughly, i checked the above code in my dev instance it created new Role ITIL_dummy with ACLs associated with ITIL role with same condition, script fields. I have not taken in consideration other fields of ACL like "admin overrides", you can do that by adding a line in code snippet from line 27 to 29.
Also, this changes will not be captured in your update set since you are running this code as background script. Also one more thing, ACLs are performance maker or breaker, the lesser we have, the better it is. So please rethink again before making any decision.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2016 06:23 AM
Deepak,
Am getting lot of these errors --
Background message, type:error, message: Role field cannot be empty
Operation against file 'sys_security_acl_role' was aborted by Business Rule 'Prevent null role creation for ACL^6b2cb1ae6fc0a600e00decd0be3ee462'. Business Rule Stack:Prevent null role creation for ACL
*** Script: Role: itil
*** Script: ACL: task.work_notes
Background message, type:error, message: Role field cannot be empty
Operation against file 'sys_security_acl_role' was aborted by Business Rule 'Prevent null role creation for ACL^2f2cb1ae6fc0a600e00decd0be3ee462'. Business Rule Stack:Prevent null role creation for ACL
*** Script: Role: itil
*** Script: ACL: sc_cat_item_delivery_task.short_description
Background message, type:error, message: Role field cannot be empty
Operation against file 'sys_security_acl_role' was aborted by Business Rule 'Prevent null role creation for ACL^ef2cb1ae6fc0a600e00decd0be3ee462'. Business Rule Stack:Prevent null role creation for ACL
*** Script: Role: itil
*** Script: ACL: sys_user.middle_name
Background message, type:error, message: Role field cannot be empty
Operation against file 'sys_security_acl_role' was aborted by Business Rule 'Prevent null role creation for ACL^a32cb1ae6fc0a600e00decd0be3ee463'. Business Rule Stack:Prevent null role creation for ACL
*** Script: Role: itil
*** Script: ACL: cmdb_identifier
Background message, type:error, message: Role field cannot be empty
Operation against file 'sys_security_acl_role' was aborted by Business Rule 'Prevent null role creation for ACL^672cb1ae6fc0a600e00decd0be3ee463'. Business Rule Stack:Prevent null role creation for ACL
*** Script: Role: itil
*** Script: ACL: cmdb_db_option
Background message, type:error, message: Role field cannot be empty
Operation against file 'sys_security_acl_role' was aborted by Business Rule 'Prevent null role creation for ACL^2b2cb1ae6fc0a600e00decd0be3ee463'. Business Rule Stack:Prevent null role creation for ACL
*** Script: Role: itil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2016 02:08 AM
var referenceRole = 'itil' // reference role for cloning
var newRole = 'itil_dummy'; // new role to be cloned from reference role
var newRoleObj = new GlideRecord('sys_user_role'); // create a new role
newRoleObj.initialize();
newRoleObj.name = newRole;
var newRoleSysID = newRoleObj.insert();
var aclAndRole = new GlideRecord('sys_security_acl_role'); // find all the ACLs for reference role
aclAndRole.addQuery('sys_user_role.name',referenceRole);
aclAndRole.addQuery('sys_security_acl.active',true);
aclAndRole.query();
while(aclAndRole.next()){
gs.print(aclAndRole.sys_security_acl.name);
gs.print(aclAndRole.sys_security_acl.advanced);
gs.print(aclAndRole.sys_security_acl.script);
gs.print(aclAndRole.sys_security_acl.condition);
var newACLs = new GlideRecord('sys_security_acl');
newACLs.initialize(); // create new ACLs for new Role
newACLs.name = aclAndRole.sys_security_acl.name;
newACLs.advanced = aclAndRole.sys_security_acl.advanced;
newACLs.condition = aclAndRole.sys_security_acl.condition;
newACLs.script = aclAndRole.sys_security_acl.script;
var newACLSysID = newACLs.insert();
var newACLAndRole = new GlideRecord('sys_security_acl_role');
newACLAndRole.initialize(); // build a relation between new ACL and new Role so that new Role appears in related section for ACL
newACLAndRole.sys_security_acl = newACLSysID;
newACLAndRole.sys_user_role = newRoleSysID;
newACLAndRole.insert();
}
Hi Mary,
As I said, I was trying this out in past and I left it in the middle due to some change in the requirement. However, I have modified the code which you can see above.
The design considerations are
1) Create a new role entry in sys_user_role table for dummy role , lets say "itil_dummy"
2) Find the "Associated ACLs" for existing role using sys_security_acl_role using "Reference" role lets say "itil".
3) Now, have new ACLs created for "itil_dummy" role using step 2. These ACLs will have same "Condition", "Script" fields as per the result got in step 2.
4) Create relation between new role and these new ACLs using m2m table "sys_security_acl_role".
Remember, you will have to test it thoroughly, i checked the above code in my dev instance it created new Role ITIL_dummy with ACLs associated with ITIL role with same condition, script fields. I have not taken in consideration other fields of ACL like "admin overrides", you can do that by adding a line in code snippet from line 27 to 29.
Also, this changes will not be captured in your update set since you are running this code as background script. Also one more thing, ACLs are performance maker or breaker, the lesser we have, the better it is. So please rethink again before making any decision.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2016 06:03 AM
Thanks Deepak I will try this out.
What is the alternative you suggest based on my requirements?
Thanks again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2016 10:21 AM
Hi Mary,
No, I dont think there is any easier way to do this apart from what already has been suggested by pradeepksharma & mallen_nspi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2016 12:06 PM
Deepak,
I tried your script and it looks good, but have to do more testing.
How do I get the same App menu access for this new role dynamically similar to ITIL role?
