How to build ACLs for variables in service catalog?

johannes5 · ‎01-28-2015

Hi ServiceNow Community Developers

I am trying to build an access control for variables in the requested item (sc_req_item) table. When I try this out I can see the oob fields but for variables all I see is 'variables' I cannot see the actual variable names that I would like to build acls around. Do you guys know how do I build an acl for each variable within the service catalogue. Please advise.

Thanks,

Johannes

randrews · ‎01-29-2015

SWEET that is easy there is a client script you can add that will lock do the variables down.. you can apply that script on both the Item and or task forms...

just wrap it in an if statement and only open it up if the user is the requested for and you are done!

http://www.servicenowguru.com/scripting/business-rules-scripting/variables-form-readonly/

obtw.. the beauty of locking down your variables this way is you apply one script to the TABLE and it gets all your variables for every item with no maintenance required.!

View solution in original post

johannes5 · ‎01-28-2015

Hi Doug,

I followed the advice you gave me above which i fully understand. The problem is still locking down the variables, All fields are locked down but the variables which appear under the Order Form section are still editable. If I can figure out out how to lock the variables I am all set.

Thanks,

Johannes

randrews · ‎01-29-2015

SWEET that is easy there is a client script you can add that will lock do the variables down.. you can apply that script on both the Item and or task forms...

just wrap it in an if statement and only open it up if the user is the requested for and you are done!

http://www.servicenowguru.com/scripting/business-rules-scripting/variables-form-readonly/

obtw.. the beauty of locking down your variables this way is you apply one script to the TABLE and it gets all your variables for every item with no maintenance required.!

johannes5 · ‎01-30-2015

Hi Doug,

Thank you so much for all your help, yes its working perfectly. I could either the business rule or the script but I settled for the script. BTW i opened a hi tickwt on this issue requesting the vendor's help but they confirm to me that it is not possible to write an ACL to lock down variables which means there is currently no platform tools to do this except to script. Once again thank you very much for your help:

Here is the script that worked for me (this should only be processed on Self Service portal for unlicensed users) :

function onLoad() {

var viewName = g_form.getParameter('view');

if (viewName != 'ess') { // only continue processing for ESS portal

return;

}

var yesRole = g_user.hasRoles();

if (yesRole) { // no further processing for process users

return;

}

var requestedFor = g_form.getValue('requested_for');

var userId = g_user.userID;

if (userId != requestedFor) { // end user can change variables for his / her requested item

try {

//Get the 'Variables' section

var ve = $('variable_map').up('table');

//Disable all elements within with a class of 'cat_item_option'

ve.select('.cat_item_option', '.slushselectmtm', '.questionsetreference').each(function(elmt){

elmt.disabled = true;

});

//Remove any reference or calendar icons

ve.select('img[src*=reference_list.gifx]', 'img[src*=small_calendar.gifx]').each(function(img){

img.hide();

});

//Hide list collector icons

ve.select('img[src*=arrow]').each(function(img){

img.up('table').hide();

});

}

catch(e){}

}

danandrews · ‎02-19-2015

Hello Sir -

I'm looking to do lock down all variables on the task form unless the user is in the assignment group of the task. It looks like you know a why do do that. Is that something you can share with me? Oh and good last name

Dan

randrews · ‎02-19-2015

sure we currently do that as a two step process..... first you have to pass in IF they are a member of the assigned to group and then a client script to lock down the variables both will run on the catalog task table <this leaves items as is>... as a note we also added a field to the requested item table, a check box to allow edits after submission.. .we did this so we can control which items are allowed to be edited at the catalog task view and which aren't... <we have a large existing catalog of items>

if you do NOT want to do that part take out the references to request_item.cat_item.u_allow_edit_after_order,,

also keep in mind you need to review the items and enable the client scripts and policies on the task form so it will appear properly and thouroughly test that it isn't resetting anything on load of the task form when you do so.

__________to the meat______________

to tell if they are a member you need to run an on display br with the following script

g_scratchpad.isMember = gs.getUser().isMemberOf(current.assignment_group);

g_scratchpad.allow = current.request_item.cat_item.u_allow_edit_after_order;

_____________________________________

next you need to run an onload client script.. i have modified the script off of the guru page to allow us to do this...

function onLoad(){

if ((g_scratchpad.isMember && g_scratchpad.allow == 'true')||(g_user.hasRole('admin') && g_scratchpad.allow == 'true'))

{

return;

}

else

{

//Get the 'Variables' section

var ve = $('variable_map').up('table');

//Disable all elements within with a class of 'cat_item_option'

ve.select('.cat_item_option', '.slushselectmtm', '.questionsetreference').each(function(elmt){

//Special handling to allow scroll/copy in textarea and fix lost date on save issue

if((elmt.tagName.toLowerCase() == 'textarea') || (elmt.tagName.toLowerCase() == 'input' && elmt.type.toLowerCase() == 'text')){

elmt.readOnly = true;

}

//Everything else gets disabled

else{

elmt.disabled = true;

}

});

//Remove any reference or calendar icons

ve.select('img[src*=reference_list.gifx]', 'img[src*=small_calendar.gifx]').each(function(img){

img.hide();

});

//Hide list collector icons

ve.select('img[src*=arrow]').each(function(img){

img.up('table').hide();

});

}