On Extended User Table - what permission to grant to a custom role (without a user-admin role) to create record in extended table

mkm1 · ‎01-07-2022

I have created a table by extending USER table 'BDContacts' and have a custom role e.g., BD with ACL set to create, read and write. NEW button is displayed for BD role to add a record and form opens with read only. With user-admin role assigned to BD role, BD can insert record onto this table but enable User Administration to BD role.

We want BD role to be able to create record in BDContacts table without granting use_admin role to BD role. How to accomplish this? Is there another permission that will allow us to meet the requirement?

shloke04 · ‎01-08-2022

Hi,

Please find the steps below to achieve your requirement:

Tried replicating the structure of your Custom table in my PDI by extending a Custom table from User. There are OOB ACL's written on individual fields of User Table which becomes available from User table to your custom table for example say First Name. Below is a screenshot of OOB ACL present on User Table for First Name which checks for Roles either admin/user_admin/itil:

To provide access for the fields you want say consider First Name only you need to create a Write Operation Field Level ACL on your Custom Table and give Role as Your Custom Role to allow users to write to that field as shown below:

Result:

First Name now has Write access for your custom Role:

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke

Hope this helps. Please mark the answer as correct/helpful based on impact.

Regards,
Shloke

View solution in original post

Maik Skoddow · ‎01-07-2022

Hi mkm

in your scenario two base concepts comes into play:

Due to security reasons, access to a table without any ACLs is not allowed.
If a child table has no ACLs then the parent's ACLs are checked.

The solution is to set explicit ACLs on the child tables - either by introducing a custom role or returning "true" for the answer at script field.

But be careful. The role "user_admin" is chargeable, and I don't believe that you can bypass that license restriction just by creating a child table of sys_user. Please check that with your responsible ServiceNow Sales rep.

Kind regards
Maik

mkm1 · ‎01-07-2022

Hi Maik,

Thanks for your suggestions.

Explicit ACLs on the child tables without assigning user_admin role to custom role does not work. I guess have to check with Sales Rep.

Thanks

MKM

Maik Skoddow · ‎01-08-2022

Hi @mkm

you can check with the help of the following articles which ACLs prevent certain access to your extended table: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0523743