How to Disable Activity Stream Mentions in Helsinki

Nia McCash
Mega Sage
Mega Sage

Is there anyway to disable Activity stream mentions in Helsinki?   It's a bit of a security hazard for us as we do not want users/requesters to be able to browse the entire ServiceNow users list just by experimenting with the @ mentions.   Currently, they can see the users' full names and not much else, but we would still like to be able to limit this ability.

1 ACCEPTED SOLUTION

LaurentChicoine
Tera Guru

Hi Nia,



I don't know any official way to disable it but you can prevent the query on your user table coming from this API with a Before Query business rule.



(function executeRule(current, previous /*null when async*/) {


     


      try{


              if(GlideTransaction.get().URL.startsWith('/api/now/form/mention/record/')){


                      current.addNullQuery('sys_id'); //All records have a sys_id so we are filtering out all records


              }


      }



      catch(e){


             


      }



})(current, previous);



You could even have some conditions, like role conditions to allow specific roles to do mentions or even add a query based on a specific criteria like a user can see users from his own department or something like that. However, this Business rule will make the @ mention look like a broken feature if no users are available.



Warning: GlideTransaction is an undocumented Java object, ServiceNow could decide to retire it or to change it's behavior without any notice.


View solution in original post

24 REPLIES 24

LaurentChicoine
Tera Guru

Hi Nia,



I don't know any official way to disable it but you can prevent the query on your user table coming from this API with a Before Query business rule.



(function executeRule(current, previous /*null when async*/) {


     


      try{


              if(GlideTransaction.get().URL.startsWith('/api/now/form/mention/record/')){


                      current.addNullQuery('sys_id'); //All records have a sys_id so we are filtering out all records


              }


      }



      catch(e){


             


      }



})(current, previous);



You could even have some conditions, like role conditions to allow specific roles to do mentions or even add a query based on a specific criteria like a user can see users from his own department or something like that. However, this Business rule will make the @ mention look like a broken feature if no users are available.



Warning: GlideTransaction is an undocumented Java object, ServiceNow could decide to retire it or to change it's behavior without any notice.


Thanks for the workaround, though it does seem a bit messy/carries some risks, but this does give us options.


Thank you for the workaround. It was presented to us by Hi as a solution to a problem I would have preferred to be asked about before implementation.


If you have an ACL on the user table. Does this mention" go skip the ACL on user table?



//Göran