Help with ACL Script to know if this is right approach ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2025 11:27 PM
Here is my approach for ACL script as below -
Allow read for records in sc_task, if the ACL script returns true.
- Table sc_req_item + ACL script answer = gs.getUser().isMemberOf(current.request_item.universal_request.assignment_group);
Allow read access for comments in sc_req_item for approvers.
- Table sc_req_item + field comments + Role "approver_user" role + ACL script answer = current.approvers.indexOf(gs.getUserID()) >= 0
Allow read for records in sc_req_item, if the ACL script returns true.
- Table sc_req_item + ACL script answer = current.request.requested_for == gs.getUserID()
Allows read access to the RITM for sc task approvers
- Table sc_req_item + Role "approver_user" role + ACL script answer = (current.approvers.indexOf(gs.getUserID()) > -1);
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2025 08:48 AM
Can you elaborate on your proposed revised changes in your ACL script code..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2025 04:50 PM
hi @Snehal13 ,
In my revised ACL scripts, I avoided using GlideRecord to keep them lightweight and faster, since ACLs run very frequently. Instead, I used the fields already available on the current record to check conditions directly. For example, I checked if the user is a member of the assignment group by using gs.getUser().isMemberOf() on the related field, and for approvers, I split the approvers string into an array and checked if the user ID is in it. For the requested_for check, I compared it directly to the current user’s ID after making sure the related fields aren’t null. This keeps the logic simple, clear, and better for performance because it doesn’t do extra database lookups.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2025 09:04 PM - edited 07-14-2025 09:05 PM
@Community Alums ,
One quick query - If I move the existing ACL script logic (having the GlideRecord logic to query) to a script include and let the ACL script call this script include, will SN execute the script include logic under ACL context or under script include context ?
The whole point of my requirement is to ensure that the SN health scan report does not flag ACLs that have ACL script using GlideRecord/GlideAggregate as it is not recommended best practice.
