Non itil users can't see a list of groups on a catalogue item

LyndseySharpe
Tera Contributor

‎01-13-2023 07:49 AM

Hi all,

I have a catalogue variable on an item which is just a simple reference field to the group table. It just shows a list of all the groups we have, allowing someone to select a group from the list. However, non itil users cannot see this list - when clicking on the dropdown they get 'no matches found'. I have tried making all read ACLs on the sys_user_group table inactive, no luck. I've also tried creating a new ACL (leaving all the others deactivated) so that everyone can see the group table - I have done this by giving access to a role we have, snc_internal. The snc_internal role is given to everyone at our company, so this should fix the issue - however, it doesn't. I've also tried checking for UI policies, business rules and client scripts. I've found nothing that sets this field to only be visible to ITIL users. What am I missing?

 

LyndseySharpe_0-1673624978270.png

 

0 Helpfuls
  • 1,137 Views
16 REPLIES 16

DrewW
Mega Sage
Mega Sage

‎01-13-2023 08:19 AM

If you have the default denie ACL's enabled removing all of the Read ACL's will not help.  You need to add a Read ACL that has no roles and no condition to the sys_user_group table.  To the script field add 

gs.isLoggedIn()

 

To be sure you can enable Debug Security and then impersonate one of the users having the issue and see what the security debugging shows you.

0 Helpfuls

LyndseySharpe
Tera Contributor
In response to DrewW

‎01-13-2023 08:45 AM

Hiya, yes I tried that, created an ACL with no roles. That was also one of the first things I did, I forgot to mention that. However, whenever I put no role in, our system just forces the snc_internal role. I created one without a role and pressed save, it then just added the snc_internal. I then deleted the snc_internal and pressed save, and it just added it back! It's so unbelievably frustrating. I recently started at this company in August and man their ServiceNow is over complicated!

0 Helpfuls

DrewW
Mega Sage
Mega Sage
In response to LyndseySharpe

‎01-13-2023 08:57 AM

The system is adding snc_internal probably because CSM is installed and external people can login.  Having the role snc_internal on the ACL is fine and is not going to hurt anything.  If you need external people to see the records then just add the snc_external role also.

 

Sounds like you need to debug security and also check the BR's for any query rules.

 

0 Helpfuls

LyndseySharpe
Tera Contributor
In response to DrewW

‎01-13-2023 09:12 AM

Ah yes we do have CSM installed. I wondered if that was a CSM role, but no one in my work could answer the question! Thanks. I'll try and do some more digging.

0 Helpfuls

Sagar Pagar
Tera Patron

‎01-13-2023 09:05 AM

Hi @LyndseySharpe,

Please check read ACL and Query Business rule on Group [sys_user_group] table.

 

If there is no Read ACL or inactive Read ACL. then create a Read ACL and keep role as empty. It will show lists for all users.

 

Thanks,

Sagar Pagar

The world works with ServiceNow
0 Helpfuls