- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2019 09:22 AM
Hi everyone,
Need some guidance.
I modified the global UI (name: delete/comment: Deletes current record after confirmation) by adding the role ‘ITIL’.
Reason: To allow users to delete filters created by them, (current.user == gs.getUserID()) if they have the ITIL role.
Problem: Users are now able to delete records in tables such as Incident, Change, Problem, etc.
Current Work Around: I am manually creating ACLs so that users with the security-admin role are only allowed to delete records from the tables. However, there are 3000+ tables.
Does any know of a script that I can use to ease this process?
Thanks in advance.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2019 10:40 AM
MR,
You can accomplish this via background scripts, in a few steps.
**THE SCRIPTS BELOW MODIFY ACLS. THIS IS DANGEROUS AND CAN LEAD TO UNEXPECTED BEHAVIOR. ALL SCRIPTS MUST BE RUN WHILE ELEVATED TO SECURITY_ADMIN**
First, you will need to remove all roles from the global delete UI actions. They have a condition check in them for canDelete(), so we need to control this through ACLs.
Second, run a background script to remove all roles from any ACL where the operation is 'delete'. This will open up all delete ACLs since we are removing role requirements.
var x = new GlideRecord('sys_security_acl');
x.addQuery('operation','delete');
x.query();
while(x.next()){
var y = new GlideRecord('sys_security_acl_role');
y.addQuery('sys_security_acl',x.sys_id);
y.query();
while(y.next()){
y.deleteRecord();
}
}
Third, we need to lock down the delete functions ACLs behind the security_admin role. This will apply that role to each ACL where the operation is 'delete':
var x = new GlideRecord('sys_security_acl');
x.addQuery('operation','delete');
x.query();
while(x.next()){
var y = new GlideRecord('sys_security_acl_role');
y.initialize();
y.sys_security_acl = x.sys_id;
y.sys_user_role = 'b2d8f7130a0a0baa5bf52498ecaadeb4';
y.insert();
}Finally, we need to make sure admins can't override the ACL and delete records. We will need to go through all of the ACLs where the operation is 'delete' and set 'admin_overrides' to false:
var x = new GlideRecord('sys_security_acl');
x.addQuery('operation','delete');
x.query();
while(x.next()){
x.admin_overrides = false;
x.update();
}
Thanks!
Robbie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2019 08:58 AM
Hi,
Why don't you undo all of that...and then add ITIL to the delete ACL (or create another actually...using the condition that created by is dynamic (aka me)) for the table that houses the filter records? Which I believe is sys_filter...?
Please mark reply as Helpful/Correct, if applicable. Thanks!
Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2019 10:49 AM
Thanks Allen for your suggestion.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2019 10:40 AM
MR,
You can accomplish this via background scripts, in a few steps.
**THE SCRIPTS BELOW MODIFY ACLS. THIS IS DANGEROUS AND CAN LEAD TO UNEXPECTED BEHAVIOR. ALL SCRIPTS MUST BE RUN WHILE ELEVATED TO SECURITY_ADMIN**
First, you will need to remove all roles from the global delete UI actions. They have a condition check in them for canDelete(), so we need to control this through ACLs.
Second, run a background script to remove all roles from any ACL where the operation is 'delete'. This will open up all delete ACLs since we are removing role requirements.
var x = new GlideRecord('sys_security_acl');
x.addQuery('operation','delete');
x.query();
while(x.next()){
var y = new GlideRecord('sys_security_acl_role');
y.addQuery('sys_security_acl',x.sys_id);
y.query();
while(y.next()){
y.deleteRecord();
}
}
Third, we need to lock down the delete functions ACLs behind the security_admin role. This will apply that role to each ACL where the operation is 'delete':
var x = new GlideRecord('sys_security_acl');
x.addQuery('operation','delete');
x.query();
while(x.next()){
var y = new GlideRecord('sys_security_acl_role');
y.initialize();
y.sys_security_acl = x.sys_id;
y.sys_user_role = 'b2d8f7130a0a0baa5bf52498ecaadeb4';
y.insert();
}Finally, we need to make sure admins can't override the ACL and delete records. We will need to go through all of the ACLs where the operation is 'delete' and set 'admin_overrides' to false:
var x = new GlideRecord('sys_security_acl');
x.addQuery('operation','delete');
x.query();
while(x.next()){
x.admin_overrides = false;
x.update();
}
Thanks!
Robbie
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2019 10:47 AM
Thanks Robbie for assisting me with my issue and finding a solution. Really appreciate your help and hard work. Thanks again.
