The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Is there a script that will add the security_admin role to all ACLs with the delete operation.

Go to solution
MR16
Giga Expert

‎04-01-2019 09:22 AM

Hi everyone,

Need some guidance.

I modified the global UI (name: delete/comment: Deletes current record after confirmation) by adding the role ‘ITIL’.

Reason: To allow users to delete filters created by them, (current.user == gs.getUserID()) if they have the ITIL role.

Problem: Users are now able to delete records in tables such as Incident, Change, Problem, etc.

Current Work Around: I am manually creating ACLs so that users with the security-admin role are only allowed to delete records from the tables.  However, there are 3000+ tables.

Does any know of a script that I can use to ease this process?

Thanks in advance.

 

0 Helpfuls
  • 1,632 Views
1 ACCEPTED SOLUTION

Go to solution
Robbie Lacivita
Tera Guru

‎04-18-2019 10:40 AM

MR,

 

You can accomplish this via background scripts, in a few steps.

 

**THE SCRIPTS BELOW MODIFY ACLS. THIS IS DANGEROUS AND CAN LEAD TO UNEXPECTED BEHAVIOR. ALL SCRIPTS MUST BE RUN WHILE ELEVATED TO SECURITY_ADMIN**

 

First, you will need to remove all roles from the global delete UI actions. They have a condition check in them for canDelete(), so we need to control this through ACLs.

Second, run a background script to remove all roles from any ACL where the operation is 'delete'. This will open up all delete ACLs since we are removing role requirements.

var x = new GlideRecord('sys_security_acl');
x.addQuery('operation','delete');
x.query();
while(x.next()){
   var y = new GlideRecord('sys_security_acl_role');
   y.addQuery('sys_security_acl',x.sys_id);
	y.query();
	while(y.next()){
		y.deleteRecord();
	}
}

 

Third, we need to lock down the delete functions ACLs behind the security_admin role. This will apply that role to each ACL where the operation is 'delete':

var x = new GlideRecord('sys_security_acl');
x.addQuery('operation','delete');
x.query();
while(x.next()){
   var y = new GlideRecord('sys_security_acl_role');
   y.initialize();
   y.sys_security_acl = x.sys_id;
   y.sys_user_role = 'b2d8f7130a0a0baa5bf52498ecaadeb4';
   y.insert();
}

Finally, we need to make sure admins can't override the ACL and delete records. We will need to go through all of the ACLs where the operation is 'delete' and set 'admin_overrides' to false:

var x = new GlideRecord('sys_security_acl');
x.addQuery('operation','delete');
x.query();
while(x.next()){
	x.admin_overrides = false;
	x.update();
}

 

Thanks!

Robbie

View solution in original post

0 Helpfuls
5 REPLIES 5

Go to solution
Allen Andreas
Administrator
Administrator
In response to MR16

‎04-18-2019 10:48 AM

Good luck!


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
0 Helpfuls