GlideRecordSecure not processing ACL dynamic condition

yundlu316
Kilo Guru

‎11-09-2017 12:07 PM

Hi Everyone, our team is creating a widget in a scoped application and am running into some ACL issues.   In the back end, we've created a test group that contains a test role and included three users.   The test role does not contain any other roles.

find_real_file.png

In our case table, we created a read ACL that will grant read access only if a user is in the test group:

find_real_file.png

This works perfectly in the backend and our Case list filters correctly, however our widget does not display any records.   We're using GlideRecordSecure as recommended in other posts:

var onbCase = new GlideRecordSecure('x_dnf_onboarding_case');

onbCase.query();

while(onbCase.next()){

data.onbCase.push({

number: onbCase.getDisplayValue('number'),

user: onbCase.getDisplayValue('hr_profile'),

start_date: onbCase.getDisplayValue('hr_profile.employment_start_date'),

short_description: onbCase.getDisplayValue('short_description'),

selected: false,

case_visible: true

})

}

Any suggestions on what's going on here?    

EDIT: After running through a couple scenarios, it looks like GlideRecordSecure doesn't work with a dynamic condition.   In the first scenario, we declared our ACL as must having the test role and the condition must be test_group is dynamic to one of the groups the user is in:

find_real_file.png

When we impersonate a user with the qualifications, it yields no records in our widget:

find_real_file.png

However, if we changed our condition to not be dynamic...

find_real_file.png

We get the correct records showing up:

find_real_file.png

In both cases, the back end list view is correct:

find_real_file.png

Has anyone else experienced this?   We're wondering if this is a SN bug or there's something we're not doing correctly in the ACL or GlideRecordSecure.   Thanks!

Preview file
40 KB
Preview file
50 KB
Preview file
67 KB
Preview file
34 KB
Preview file
37 KB
Preview file
50 KB
Preview file
31 KB
0 Helpfuls
  • 1,641 Views
5 REPLIES 5

Dave Smith1
ServiceNow Employee
ServiceNow Employee

‎11-09-2017 12:32 PM 

In our case table, we created a read ACL that will grant read access only if a user is in the test group:

Why check against group membership, rather than against the role the group members hold?   That's the purpose of the role, after all.


0 Helpfuls

Andras Kisgyorg
Kilo Guru

‎11-09-2017 12:58 PM

Hi David,



Above the ACL condition builder it already says "0 records match the condition" which suggests that nothing will pass through this ACL. Which table the ACL is created against?



Otherwise, is the widget working if you just deactivate the ACL for testing?



Cheers,


Andras


0 Helpfuls

yundlu316
Kilo Guru
In response to Andras Kisgyorg

‎11-09-2017 01:01 PM

Hey Andras, i didn't even notice that, thanks for the tip.   The ACL is created against our onboarding case table which is extended from the ootb case table.


0 Helpfuls

Andras Kisgyorg
Kilo Guru
In response to yundlu316

‎11-09-2017 01:10 PM

Just asked about the table as wondering how you managed to set the condition builder to be "test group is ..." provided from what I see test group is a group name and not a field name.


Shouldn't the ACL condition look like "group reference field - is (dynamic) - one of my groups"?



Andras


0 Helpfuls