Getting "Not authorized" message when clicking New button from Incident List view

reginabautista · ‎07-07-2017

Hi guys,

I have introduced a new role called "3rd_party_suppliers" to allow 3rd party users to create and manage their own incidents. I did not give users the itil role.

There's a weird behaviour when I was trying to create an incident using the New button from the list view. I am getting the error "Not authorized". I'm pretty sure it's not ACL issue as the "Create New" button on the module menu is working. Has anyone come across this issue? Thanks

When I inspected the URL this is what I am getting. Where did the com.glideapp.servicecatalog_cat_item_view come from??

https://mydev.service-now.com/com.glideapp.servicecatalog_cat_item_view.do?sysparm_id=3f1dd0320a0a0b...

When I impersonated a user with ITIL role this is the URL that I am getting:

https://mydev.service-now.com/nav_to.do?uri=incident.do?sys_id=8a908779373bfa00a15e19a543990e34

Shahed Shah1 · ‎07-07-2017

It's in the code of the New button (UI Action) to do this.

Here's the script from an OOB Instance:

if (gs.hasRole('itil')) {

var uri = action.getGlideURI();

var path = uri.getFileFromPath() + '';

path = path.substring(0, path.length - 5) + '.do';



uri.set('sys_id', '-1');

path = checkWizard(uri, path);

if (path)

action.setRedirectURL(uri.toString(path));



action.setNoPop(true);

}

else

action.setRedirectURL("com.glideapp.servicecatalog_cat_item_view.do?sysparm_id=3f1dd0320a0a0b99000a53f7604a2ef9");



function checkWizard(uri, path) {

var already = uri.get('WIZARD:action');

if (already == 'follow')

return null;



var wizID = new GlideappWizardIntercept(path).get();

if (!wizID)

return path;



uri.set('sysparm_parent', wizID);

uri.deleteParmameter('sysparm_referring_url');

uri.deleteMatchingParameter('sysparm_list_');

uri.deleteMatchingParameter('sysparm_record_');

uri.deleteParmameter('sys_is_list');

uri.deleteParmameter('sys_is_related_list');

uri.deleteParmameter('sys_submitted');

uri.deleteParmameter('sysparm_checked_items');

uri.deleteParmameter('sysparm_ref_list_query');

uri.deleteParmameter('sysparm_current_row');



uri.set('sysparm_referring_url', uri.toString());

uri.deleteMatchingParameter('fancy.');

uri.deleteMatchingParameter('sys_rownum');

uri.deleteMatchingParameter('sysparm_encoded');

uri.deleteMatchingParameter('sysparm_query_encoded');

uri.deleteParmameter('sysparm_refer');


return 'wizard_view.do';

}

So it checks if you're an ITIL User and redirects you as normal. Otherwise, you get redirected. That sys_id is for the "Create a New Incident" Record Producer: /sc_cat_item_producer.do?sys_id=3f1dd0320a0a0b99000a53f7604a2ef9

But, now I'm starting to this of that interceptor code. Wondering if it's worth checking that Record Producer first and, failing that, move onto the interceptor part of the code

View solution in original post

Sharique Azim · ‎07-07-2017

Hi Regina,

I last day faced the same issue, realised there were active sessions on IE and chrome.

So , I had logged out from both instance and then logged in!!

reginabautista · ‎07-07-2017

Thanks sharique. I tried that but no luck!

Shahed Shah1 · ‎07-07-2017

If you're an end user and you click on New in the list view it would redirect you to the Record Producer. Strange that you're getting it while logged in as an ITIL User. Is that Record Producer active? Sometimes you can get that message when navigating directly to an inactive Catalog Item/Record Producer.

reginabautista · ‎07-07-2017

Thanks Shahid for the reply. Which record producer should I look for?