Give users CREATE rights on sys_user_grmember table using an ACL

mr_t
Kilo Contributor

‎05-23-2022 10:55 AM

Hi, 

I wanted to give certain users CREATE rights to sys_user_grmember table.

I created a user group for those users. It contains one role: a3m_create_groupmember_table (elevated privilege)

I created a new ACL on that table:

find_real_file.png

When a member of the group executes a script that adds another user to an ADMIN group, I get this error:

find_real_file.png

Could anyone explain why this is happening? 

Thanks, 

T.

Labels:
Preview file
12 KB
Preview file
86 KB
0 Helpfuls
  • 2,098 Views
15 REPLIES 15

Ankur Bawiskar
Tera Patron
Tera Patron

‎05-24-2022 02:49 AM

Hi,

you should give table level CREATE Access

So instead of * give None

Name [None]

Also share what script is being used? If you are using GlideRecord then ACLs are not evaluated

Regards
Ankur

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

mr_t
Kilo Contributor
In response to Ankur Bawiskar

‎05-24-2022 08:17 AM

Hey Ankur, 

 

That table has CREATE access.

 

Here's parts of the script for the business rule that's triggered on Insert on a table I created:

 

(function executeRule(current, previous /*null when async*/) {

	giveAdmin();

})(current, previous);

function giveAdmin(){

	var role = "admin";
	var grd = new GlideRecord('sys_user_has_role');
	grd.initialize();
	grd.user = "3618ca771b9f891005806283b24bcbe6";
	grd.setDisplayValue('role',role); 
	grd.insert();
}

 

I am also now getting this error when the business rule is triggered.

find_real_file.png

Thanks, 

T.

 

Preview file
8 KB
0 Helpfuls

Ankur Bawiskar
Tera Patron
Tera Patron
In response to mr_t

‎05-25-2022 08:49 PM

Hi,

Did you check any OOB script/logic restricts giving admin role via script to users?

Regards
Ankur

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

mr_t
Kilo Contributor
In response to Ankur Bawiskar

‎05-26-2022 02:31 AM

Hey Ankur, 

That's a good idea. I need to find one. 

Thanks, 

T.

0 Helpfuls

chrisperry
Giga Sage

‎05-24-2022 01:50 PM

Hi there,

In addition to the ACL on sys_user_grmember table, you are also going to need a create ACL on the sys_user_has_role table.  The OOTB create ACL on sys_user_has_role table has a script component to determine if the user is allowed to grant the role, but it sounds like you want your a3m_write_groupmember_table role to be able to grant admin role even if they do not have admin role themselves -- so you could create a brand new create ACL on [sys_user_has_role . --None--] for your a3m_write_groupmember_table role and it should resolve the error/issue you have been facing.

If this answer is helpful please mark correct and helpful!

Regards,

Christopher Perry

If this answer is helpful please mark correct and helpful!

Regards,
Chris Perry
0 Helpfuls