proposed change and ACL's

klautrup · ‎12-13-2017

Hi,

We only want to allow few users having the 'asset' role direct access to create/update CIs in the CMDB.
So we have removed the 'itil' role from the cmdb_ci tables create, write and delete ACL's.

However, if a change assignee in the change records add an 'Affected CI' and right clicks it to select "Proposed Change" we would still like to allow the change assignee to update certain CIs.

'Proposed Change' is controlled by UI Action "Proposed Change" using this script:

function openFormDialog(){

var openProposedChange = function(answer) {

var proposedChgOverlay = new GlideModal('ci_popup', false, 'modal-lg');

proposedChgOverlay.setAutoFullHeight(true);

proposedChgOverlay.setTitle(getMessage("Proposed change"));

proposedChgOverlay.on('closeconfirm', function () {

var listId = g_form.getTableName() + ".task_ci.task";

var list = typeof GlideList2 !== "undefined" ? GlideList2.getByName(listId) : null;

if (list == null)

list = typeof GlideList !== "undefined" ? GlideList.get(listId) : null;

if (list != null)

list.refresh();

});

proposedChgOverlay.renderIframe(answer);

};

var gaJax = new GlideAjax("ChangeCIAjaxProcessor");

gaJax.addParam("sysparm_name","getProposedChangeCIPopupURL");

gaJax.addParam("sysparm_task_ci", rowSysId);

gaJax.getXMLAnswer(openProposedChange);

}

However, I'm not able to find any 'UI Page' named "ci_popup".

Is there a way to create ACL's for certain CI classes/fields allowing for instance the 'itil' role create and write access, but only through the 'Proposed Change' pop-up window?

Gary Van Roy · ‎07-10-2018

Hopefully this helps

Issue: I created ACLs to limit who can write to the CMDB, but in doing so users who do not meet the ACL criteria cannot Propose a Change on a CI through Change Management. The fields on the CI when using Propose Change functionality are now read only.

My suggestion as always is log an Enhancement to make this a baseline option to override the ACLs for CMDB when using Propose Change. It is common to limit who can write to the CMDB, but we also want to allow users to be able to use the Propose Change functionality. Having the CMDB open to writing by anyone with the itil role is just an accident waiting to happen. Hence the need to update CMDB ACLs.

Long ago I figured this out by looking at what prevented the “Save Proposed Changes” UI Action from showing up on the CI forms. The condition on the UI Action uses a parameter to determine if the UI Action should be visible. Depending on your version it will either have “(RP.getParameterValue('sysparm_changeset') != '') old version, or “JSUtil.notNil(RP.getParameterValue("sysparm_changeset"))” new version. When creating your ACLs for the CMDB try using one of those parameters when evaluating your ACL. If that parameter is passed through, then allow the user to write, otherwise enforce your ACLs. It worked form me in the past.

View solution in original post

Chuck Tomasi · ‎12-13-2017

Hi Kristian,

The approach I would take is to update the Condition on the UI action to check if you have write access to the target CI.

The proposed changes are stored in an XML field on the task_ci table. Your UI action should only appear if the user has access to task_ci.ci_item. Your condition on the UI action could be current.ci_item.canWrite().

No guarantees, but that's where I would start.

klautrup · ‎12-14-2017

Hi Chuck,

Thank you but that was not what I meant.

The 'itil' role already has access to task_ci and a user with the 'itil' role if right clicking the 'Affected CI' in the Change record is able to see the UI Action "Proposed Change":

However, since we have removed the 'itil' role from the cmdb_ci create+write ACL's users with the 'itil' role as intended, are no longer able to edit any CIs directly (e.g. a user with the 'itil' role can no longer edit a server CI in cmdb_ci_server):

But still we would like somehow to be able to allow those users with the 'itil' role to edit some CIs if doing it from the 'Proposed Change' UI Action triggered pop-up page:

As you see all though the 'Save Proposed Change' button is still visible the 'itil' user does not have rights to update any fields on the CI.

My hope is there is some way to control this using ACL's?

Chuck Tomasi · ‎12-14-2017

Thanks for the clarification Kristian.

I understand the problem now, but don't have any direct info for you. I'll be interested to see if someone else comes up with something.

Ideally. you need to find out if you are viewing that record directly, or via the popup from the UI action. I suspect there is a way to detect that, but don't know the details at this time. If I learn anything, I'll keep you posted.

klautrup · ‎12-19-2017

Nobody having a suggestion how to achieve this?