"Admin overrides" checkbox not working

Tim34
Tera Contributor
We have an acl on the sa_pattern table to only allow read if the user has the pd_admin role. However, we don't want users to be able to read from this table EVEN if they have admin, they have to specifically have pd_admin. We have unchecked the "Admin overrides" checkbox, but users with the admin role can still see the sa_pattern table even if they do not have pd_admin. So I learned more about this, and came to find that the admin role often times passes role checks, and adding a role such as pd_admin is not enough to prevent admin users from accessing specific data. So what I found is you could put in a script such as this, which specifically says if the user does NOT have admin, but has pd_admin, return true, otherwise return false:
 
if(!gs.hasRole('admin') && gs.hasRole('pd_admin')) {
answer = true;
} else {
answer = false;
}
 
This works only if the user that has pd_admin also does not have admin. However, for our use case, we will sometimes have admins that also explicitly have pd_admin, and they should be able to see the sa_pattern table. We want this access solely driven off of pd_admin, regardless of if they have admin or not. 

We also looked into the "High-Security Settings' plugin and set the 'glide.security.admin.override.accessterm' system property to 'true', but this did not work either.
 
Does anyone know how to do this? It seems like we are only able to get this to work if we explicitly say user cannot have admin, but must have pd_admin, but as stated this does not fit our use case.
 
Any help on this would be greatly appreciated, as we have now spent a lot of time on this.
 
Thanks
1 ACCEPTED SOLUTION

Hi Tim,

After Aman's answer, I just realized that hasRoleExactly is not available at server side script.

You could try below script instead,


var grRole=new GlideRecord("sys_user_has_role");
grRole.addEncodedQuery("role=79f6671b0a0a0b8f00481621488887ff^user="+gs.getUserID()); //79f6671b0a0a0b8f00481621488887ff -> change this sys_id with pd_admin role sys id, I would suggest to store this sys_id in system proeprty and access it here as using hrd coded sys_id is not servicenow best practice.
grRole.query();
if(grRole.next()){
answer=true;
}else{
answer=false;
}

Let me know if you have any further queries.

Please mark this as Correct or Helpful if it helps.

Thanks and Regards,
Abhijit
Community Rising Star 2022

By marking my response as correct or helpful, you contribute to helping future readers with similar issues.
Regards,
Abhijit
ServiceNow MVP

View solution in original post

4 REPLIES 4

Abhijit4
Mega Sage

Hi Tim,

The condition 'gs.hasRole('pd_admin')' always returns true for admin users that is the reason your script is failing.

Please try below code instead,

if(gs.hasRoleExactly('pd_admin')) {
answer = true;
} else {
answer = false;
}

Let me know if you have any further queries.

Please mark this as Correct or Helpful if it helps.

Thanks and Regards,
Abhijit
Community Rising Star 2022

By marking my response as correct or helpful, you contribute to helping future readers with similar issues.
Regards,
Abhijit
ServiceNow MVP

Hi Tim,

After Aman's answer, I just realized that hasRoleExactly is not available at server side script.

You could try below script instead,


var grRole=new GlideRecord("sys_user_has_role");
grRole.addEncodedQuery("role=79f6671b0a0a0b8f00481621488887ff^user="+gs.getUserID()); //79f6671b0a0a0b8f00481621488887ff -> change this sys_id with pd_admin role sys id, I would suggest to store this sys_id in system proeprty and access it here as using hrd coded sys_id is not servicenow best practice.
grRole.query();
if(grRole.next()){
answer=true;
}else{
answer=false;
}

Let me know if you have any further queries.

Please mark this as Correct or Helpful if it helps.

Thanks and Regards,
Abhijit
Community Rising Star 2022

By marking my response as correct or helpful, you contribute to helping future readers with similar issues.
Regards,
Abhijit
ServiceNow MVP

Tim34
Tera Contributor

This does the trick! I thought I had done something similar before, but didn't have it working. This definitely works though. Thank you

Aman Kumar S
Kilo Patron

Hey, 

Understood your query.

This is the limitation/challenge with hasRole function. This could be fixed be fixed usign hasRoleExactly(), but that can only be used in client side.

My recommendation would be to create your own script, which check "sys_user_has_role" table for checking if the user explicitly has 'pd_admin' role assigned to it, doesn't matter admin or not.

Best Regards
Aman Kumar