proposed change and ACL's

Go to solution
klautrup
Kilo Expert

‎12-13-2017 12:06 AM

Hi,

We only want to allow few users having the 'asset' role direct access to create/update CIs in the CMDB.
So we have removed the 'itil' role from the cmdb_ci tables create, write and delete ACL's.

However, if a change assignee in the change records add an 'Affected CI' and right clicks it to select "Proposed Change" we would still like to allow the change assignee to update certain CIs.

'Proposed Change' is controlled by UI Action "Proposed Change" using this script:

function openFormDialog(){

var openProposedChange = function(answer) {

var proposedChgOverlay = new GlideModal('ci_popup', false, 'modal-lg');

proposedChgOverlay.setAutoFullHeight(true);

proposedChgOverlay.setTitle(getMessage("Proposed change"));

proposedChgOverlay.on('closeconfirm', function () {

var listId = g_form.getTableName() + ".task_ci.task";

var list = typeof GlideList2 !== "undefined" ? GlideList2.getByName(listId) : null;

if (list == null)

list = typeof GlideList !== "undefined" ? GlideList.get(listId) : null;

if (list != null)

list.refresh();

});

proposedChgOverlay.renderIframe(answer);

};

var gaJax = new GlideAjax("ChangeCIAjaxProcessor");

gaJax.addParam("sysparm_name","getProposedChangeCIPopupURL");

gaJax.addParam("sysparm_task_ci", rowSysId);

gaJax.getXMLAnswer(openProposedChange);

}

However, I'm not able to find any 'UI Page' named "ci_popup".

Is there a way to create ACL's for certain CI classes/fields allowing for instance the 'itil' role create and write access, but only through the 'Proposed Change' pop-up window?

Labels:
  • 3,418 Views
1 ACCEPTED SOLUTION

Go to solution
Gary Van Roy
ServiceNow Employee
ServiceNow Employee

‎07-10-2018 12:44 PM

Hopefully this helps

Issue: I created ACLs to limit who can write to the CMDB, but in doing so users who do not meet the ACL criteria cannot Propose a Change on a CI through Change Management.  The fields on the CI when using Propose Change functionality are now read only.

My suggestion as always is log an Enhancement to make this a baseline option to override the ACLs for CMDB when using Propose Change.  It is common to limit who can write to the CMDB, but we also want to allow users to be able to use the Propose Change functionality.  Having the CMDB open to writing by anyone with the itil role is just an accident waiting to happen.  Hence the need to update CMDB ACLs.

Long ago I figured this out by looking at what prevented the “Save Proposed Changes” UI Action from showing up on the CI forms.  The condition on the UI Action uses a parameter to determine if the UI Action should be visible. Depending on your version it will either have “(RP.getParameterValue('sysparm_changeset') != '') old version, or “JSUtil.notNil(RP.getParameterValue("sysparm_changeset"))” new version.  When creating your ACLs for the CMDB try using one of those parameters when evaluating your ACL.  If that parameter is passed through, then allow the user to write, otherwise enforce your ACLs.  It worked form me in the past.

 

View solution in original post

9 REPLIES 9

Go to solution
Gary Van Roy
ServiceNow Employee
ServiceNow Employee

‎07-10-2018 12:44 PM

Hopefully this helps

Issue: I created ACLs to limit who can write to the CMDB, but in doing so users who do not meet the ACL criteria cannot Propose a Change on a CI through Change Management.  The fields on the CI when using Propose Change functionality are now read only.

My suggestion as always is log an Enhancement to make this a baseline option to override the ACLs for CMDB when using Propose Change.  It is common to limit who can write to the CMDB, but we also want to allow users to be able to use the Propose Change functionality.  Having the CMDB open to writing by anyone with the itil role is just an accident waiting to happen.  Hence the need to update CMDB ACLs.

Long ago I figured this out by looking at what prevented the “Save Proposed Changes” UI Action from showing up on the CI forms.  The condition on the UI Action uses a parameter to determine if the UI Action should be visible. Depending on your version it will either have “(RP.getParameterValue('sysparm_changeset') != '') old version, or “JSUtil.notNil(RP.getParameterValue("sysparm_changeset"))” new version.  When creating your ACLs for the CMDB try using one of those parameters when evaluating your ACL.  If that parameter is passed through, then allow the user to write, otherwise enforce your ACLs.  It worked form me in the past.

 

Go to solution
klautrup
Kilo Expert
In response to Gary Van Roy

‎08-06-2018 04:47 AM

Brilliant Gary 🙂

Adding "JSUtil.notNil(RP.getParameterValue("sysparm_changeset"));" to the write ACL worked.

The userids in the ACL can then not directly update the record, but they are still allowed to "Save proposed changes" in a Change.

Regards,
Kristian

Go to solution
Preethi9
Tera Contributor
In response to Gary Van Roy

‎04-27-2022 01:47 AM

Hello,

 

I have the same requirement but my table and the field are in different scope. Hence I couldn't use JSUtil.notNil(RP.getParameterValue("sysparm_changeset")). Is there any other way?

Thanks!

0 Helpfuls

Go to solution
abhisheksolanki
Giga Contributor

‎11-16-2021 05:24 AM

It has been 4 years since this was posted and I am still scouring the community and internet for an answer to this indirect question from the OP -

However, I'm not able to find any 'UI Page' named "ci_popup".

 

0 Helpfuls

Go to solution
Blazej Krysiak1
Tera Contributor
In response to abhisheksolanki

‎07-29-2022 07:43 AM

Cuz such a popup does not exist. SN under the hood is opening a CI record view addtional UI actions enabled via pre-configured view.

If you check cmdb_ci table's UI actions - you will see the "Save Proposed Change" among many others.