Get current user's role(s)...?

uluerje · ‎09-17-2015

Does anyone know how to get a list of the current user's roles by sys_id? I've tried using the getRole() function but it doesn't return anything. According to the wiki article Getting a User Object - ServiceNow Wiki "getUserRoles() -- returns the roles explicitly granted to the current user" & "getRoles() -- returns all of the roles of the current user" but when I run them, I get nothing. I am able to get a list of roles by name using the gs.getSession().getRoles() function, but what I need is something that'll return a list roles by sys_id because the custom list field I'm checking against references the Roles table and therefore holds the sys_id. I even tried to set the reference key on my List field to 'name' so I could possibly just use gs.getSession().getRoles(), but apparently you can't use the reference key with a list as SN has a UI policy to hide it when type is List. I'm totally confused as to why the other functions (getUserRoles & getRoles) aren't returning anything.

Scenario:

We have an application menu that we grant access to via the OOB "Roles" field, however we have specific no-role users who also need access to that application menu and modules. I could just remove the role but then it would be open to everyone, which we don't want. So what I've done to avoid opening the application menu up to the system when the role is removed is create a "Group Access" List field on the sys_app_application table that grants app access to the group members via a before query business rule. I should point out that this only works if the "Roles" field is empty as I don't know how SN is granting access to app menus/modules with the "Roles" field b/c I've disabled the write ACL on the sys_app_application table which appeared to be granting access based on the Roles field, but after disabling it, users still had access to the application if they had one of the roles, also, if you personalize dictionary on the Roles field, you'll see that the type is "User Roles" which I've never seen before. So since I haven't figured out how to control the oob "Roles" field, I just created my own "Role Access" List type field on the sys_app_application table that references the Roles table that I'm hoping I can use in place of the oob Roles field when working with application menus that have specific role/no-role users who need to access it. So basically what I'm trying to figure out is how to use the "Group Access" field to grant access to no-role users AND still have a role field where I can grant access to the application menu for users who have a role. Therefore I need a "fast" way to check if the current user has one of the roles in the "Role Access" field, which I thought would be quick and easy using one of the getUserRoles & getRoles functions but of course it's not "working" as expected.

Greg42 · ‎09-23-2015

Hi Pradeep,

I'm having same issue as Jessica. Only gs.getSession().getRoles() returns roles for me.

Cheers

Greg

uluerje · ‎09-17-2015

Thanks for all the replies but I'm still at square one. I'm able to get the list of sys_ids of the current user's role(s) but I haven't found a way to work it into the before query business rule, which is my original issue. Below is what I currently have in the BR, which works great to grant access to the application menu if the user is a member of one of the groups listed in the "Group Access" field or if Group Access is empty but the oob 'Roles' field must be empty for this to work, which takes me back to my main issue being that I can't figure out how to add a condition to the below query based on the user's roles and the values in my custom role field. Initially, I tried to add u_role_accessLIKEjavascript:getRoles() and that's when I ran into the issue of the getRoles() function not returning anything. Any help is appreciated! Thanks!

qry='u_group_accessLIKEjavascript:getMyGroups()^ORu_group_accessISEMPTY';

current.addEncodedQuery(qry);

LearnerSubho · ‎09-23-2015

Hello Jessica,

Enable the sys_app_application write ACL.

Add some script at the top with the existing script to check if the logged in user is part of any of the groups mentioned in the 'Group Access' list:

1. Declare a flag variable, split the groups from 'Group Access' field.

2. Check the membership through 'while' loop. Inside the loop, you may use:

Get the group name -

while(<<FOR ALL GROUPS in Group Access>>){


var grp= new GlideRecord('sys_user_group');


//Use 'get' or addQuery


grp.addQuery('sys_id', <<sys_id of group1>>);


grp.query();


grp.next();


//Check the group membership


if(gs.getUser().isMemberOf(grp.name)){


flag=1;


break;


         }


}

Now add an 'else -if' condition inside the existing ACL script:

else if (flag==1) {


   answer = true;


}

Hope, it would work and you wouldn't need any BR.

Moreover, Though 'Roles' field is a "user_roles" type field, it acts as 'list' type field. Hence, you don't need to create 'Role Access' custom field.

Thanks.

uluerje · ‎10-01-2015

Hi Subhankar,

Thanks for the suggestion but unfortunately it didn't work. What's interesting is that the ACLs on the sys_app_application table seem to have no impact on what the user can and can't see when it comes to the app menus. As a quick test, I cleared out the script and roles on all the ACLs, so they were completely open to all users (no restrictions), and my test user still saw the exact same menus as when the ACLs had the script and roles on them. I guess this is why I went the business rule route in the first place. Any thoughts on this? Thanks again!

Bhanuchander Ga · ‎10-29-2018

Hi Pradeep Sharma,

Thanks for your help, it worked for me 🙂