Help with ACLs to allow a unique user to view and add "Additional Comments" to any incident.

patricklatella · ‎04-01-2019

Hi all,

I've got a single user record "Walkup User" that I need to grant access to view and add "Additional Comments" to any record on the incident table regardless of who opened the ticket. The use case is that I've built a service portal that is meant to act like a walk up self help kiosk. The portal will be logged in all the time by this "Walkup User", and I need the person who is at the kiosk to be able to view any incident in the system and add "Additional Comments".

To do this, I've created a new role "walkup_user", and I've given the role to the "Walkup User" user record.

I've then created 4 new ACLs and added the "walkup_user" role to each ACL.

- write ACL to the [incident] table

- read ACL to the [incident] table

- write ACL to the "Additional Comments" field on [incident] table

- read ACL to the "Additional Comments" field on [incident] table

These 4 ACLs are all set to only the "walkup_user" role. And the "Walkup User" has only this role. With these ACLs, the "Walkup User" can still only see the incidents that have the caller "Walkup User".

What am I missing? thanks!

patricklatella · ‎04-04-2019

This has been solved...I needed to update the OOB "incident query" Business Rule to accommodate for my user. My initial 4 ACLs were correct, and I also needed the "incident.*" for "read" access. So with the 5 ACLs, and the update to the Business Rule, I was able to grant the single role "walkup_user" to the user and grant the access to see all incidents in the ESS view, and add "Additional Comments" to any incident record.

Here are the ACLs I created...these all have no conditions, Role set to my "walkup_user" role, with no script. I did not need to update any OOB ACLs.

Here's the updated code in the BR:

if (!gs.hasRole("itil") && gs.isInteractive() && gs.getUserID() != '0c1aa4d0db1c3f002b6a894d0b9619ab')//sys_id for Walk-up User
{
var u = gs.getUserID();
var qc = current.addQuery("caller_id", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);
gs.print("query restricted to user: " + u);
}

View solution in original post

patricklatella · ‎04-01-2019

Do I need to edit the OOB ACLs to get my new ones to work?

In my sandbox instance where I did this first, I did not need to edit the OOB ones. However I'm seeing that the "snc_internal" role is added by default to the "Walkup User" in my sandbox instance. However in the client's instance I'm now looking to put this functionality, the "snc_internal" role doesn't exist at all.

Could this be an issue?

patricklatella · ‎04-02-2019

Hi Edoardo,

I'm still struggling with this if you had any more suggestions. One thing...would the OOB ACL that grants ITIL users the read access to the incident table be blocking my ACLs I created for my new role? I was hoping to not have to edit this OOB ACL, but is this necessary to give my new "walkup_user" role the same read access to the incident table?

patricklatella · ‎04-04-2019

This has been solved...I needed to update the OOB "incident query" Business Rule to accommodate for my user. My initial 4 ACLs were correct, and I also needed the "incident.*" for "read" access. So with the 5 ACLs, and the update to the Business Rule, I was able to grant the single role "walkup_user" to the user and grant the access to see all incidents in the ESS view, and add "Additional Comments" to any incident record.

Here are the ACLs I created...these all have no conditions, Role set to my "walkup_user" role, with no script. I did not need to update any OOB ACLs.

Here's the updated code in the BR:

if (!gs.hasRole("itil") && gs.isInteractive() && gs.getUserID() != '0c1aa4d0db1c3f002b6a894d0b9619ab')//sys_id for Walk-up User
{
var u = gs.getUserID();
var qc = current.addQuery("caller_id", u).addOrCondition("opened_by", u).addOrCondition("watch_list", "CONTAINS", u);
gs.print("query restricted to user: " + u);
}