How to fetch read roles of tables

parth2922
Tera Contributor

‎11-07-2023 01:00 AM

Hey Everyone,  I want to fetch the read role of the table. For Example, In the case of an incident, the read role is "sn_incident_read", in the case of "change_request" the read role is "sn_change_read". 

 

I have tried with "sys_security_acl_role" with operation read.

acl_url = f"{instance_url}/api/now/table/sys_security_acl_role"
params = {"sys_security_acl.operation": "read", "sys_security_acl.name": incident}

But it gives below roles,

ml_report_user
ml_admin
itil
sn_incident_read

 

So, I checked the user with ml_report_user and the ml_admin role does not read the incident table. So, am I missing something? Or anyone know how to fetch only read role?

0 Helpfuls
  • 1,567 Views
4 REPLIES 4

Ankur Bawiskar
Tera Patron
Tera Patron

‎11-07-2023 01:07 AM

@parth2922 

just having role is not enough. the ACL might have some condition or advanced script.

Unless user satisfies all 3 i.e. role, condition and script access won't be given

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

parth2922
Tera Contributor

‎11-07-2023 01:32 AM

Hi @Ankur Bawiskar , As far as I know, conditions and scripts are used for record-level permissions right? Currently I am finding the Role from which the user can access the whole table and for ml_admin and ml_report_user I have checked the ACL does not have any condition and script still user with ml_admin and ml_report_user does not have access to the incident. 

parth2922_0-1699349519931.png

 

0 Helpfuls

Ankur Bawiskar
Tera Patron
Tera Patron
In response to parth2922

‎11-07-2023 02:03 AM

@parth2922 

Nope, your understanding is wrong.

whenever table level READ ACL is evaluated everything is evaluated i.e. role, condition and script (if any)

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

parth2922
Tera Contributor
In response to Ankur Bawiskar

‎11-07-2023 02:11 AM - edited ‎11-07-2023 02:12 AM

Okay, Got it But do you know why the user with the above ml_admin and ml_read_role has not access the incident? There is no condition or script associated with it or do you have any idea how we can fetch a list of users who have access to the specific table?

0 Helpfuls