Require the Catalog Item Submission to Only be done by a Manager

Eric145 · ‎02-27-2025

Hello

I have a catalog item where managers are supposed to request a PIN number for their employees.

We have an 'Employee' variable. This variable is the Employee that needs the PIN number.

We also have a 'Submitter' variable. This variable is automatically filled in based on the user who opened the form using: javascript&colon;gs.getUser().getDisplayName()

We also have three manager fields, that are essentially looking thru the 'employees' info in the sys_user table and dot walking back to see each manager up the leadership chain for that employee (Example: manager > directory > vice pres).

'manager' variable = manager.employee

'manager2' variable = manager.manager.employee

'manager3' variable = manager.manager.manager.employee

With all this information, we want to only allow managers for that employee (manager, manager2, manager3) to be able to submit for a PIN for employee. And if that is not the case pop up an error message and do not allow the form to be submitted.

Scenario:

Employee = John Smith

Manager = Joseph Williams (manager)

Manager2 = Jane Doe (director)

Manager3 = David Duck (vp)

John Smith needs a new PIN.

John should NOT be allowed to submit for one for himself or others. And he should be shown an error message and not allowed to submit at all when he attempts to submit one.

John's direct manager is Joseph Williams. Joseph can submit for a PIN for John Smith. But Joseph CANNOT submit for other employees who are not under him.

Jane Doe and David Duck can submit a PIN for John Smith as well. Even though they are higher up in the leadership chain, they are still technically John Smith's boss.

Any ideas would be greatly appreciated.

Thanks

Eric145 · ‎03-04-2025

Thanks for your thoughts and ideas Nishant8. I really appreciate it.

I did end up landing on a simple catalog client script that seems to be doing the trick when I run thru my testing.

All,

feel free to review and let me know if you see any issues with it. thanks!

function onSubmit(control, oldValue, newValue, isLoading) {
   if (isLoading || newValue == '') {
      return;
   }

   //Type appropriate comment here, and begin script below
	var s1 = g_form.getValue('submitter');
	var m1 = g_form.getValue('manager');
	var m2 = g_form.getValue('manager2');
	var m3 = g_form.getValue('manager3');

	if(s1 != m1 && s1 != m2 && s1 != m3)
		{
			g_form.addErrorMessage('You are not the employees manager, so you can not submit the request');
			
			return false;
		}
}

View solution in original post

Eric145 · ‎02-28-2025

Thanks for replying.

The problem with this solution is a non-manager can submit for someone else.

We only want actual managers to submit these requests.

For grins, I did try your script, but even after confirming the catalog item variables were correct, and i made sure to set the submitter and employee as the same person, i did not get an alert, nor did it stop the submission.

Brian Lancaster · ‎02-28-2025

Good point. We could keep my onsubmit script to prevent a manager from requesting it for themselves. Then we can use Available for with the below script to make it so that only managers can see the item. This script will only work if the manager field on the sys_user table is being populated.

var currentUser = gs.getUserID();
var gr = new GlideRecord("sys_user");
gr.addQuery("manager", currentUser); //Check if logged on user is a manager for at least 1 person.
gr.setLimit(1);
if (gr.next()){
	answer = true;
}
else {
	answer = false;
}

Robbie · ‎02-27-2025

Hi @Eric145,

Rather than provide access to the Item, allow the user to fill out the form only to be informed they cannot request/submit the form, you can simply leverage the 'Available for' functionality against the Catalog item. This can be configured using the Out Of Box (OOB) 'Managers' user criteria ensuring only managers can view and access the form.

This restricts access to the item itself, however you would need further configuration and scripting to only display the hierarchy of users to the manager access the form. For this you're going to have to configure a filter and reference qualifier for the Employee field.

You'll need to perform a little bit of magic and this lookup isn't available Out Of Box (OOB) unfortunately, or not that I've seen.

You can however leverage the following Script which will provide a comma delimited list of all employees as you require.

manager_user_id = 'a8f98bb0eb32010045e1a5115206fe3a'; //Sample user id of Abraham Lincoln who has been set as the manager of users who some of which are also managers of other users.

// Function to retrieve all direct and indirect reports for a given manager
function getEmployeesUnderManager(managerSysId) {
    var employees = [];
    var gr = new GlideRecord('sys_user');
    
    // Query users where the manager is the one we're looking for
    gr.addQuery('manager', managerSysId);
    gr.query();
    
    while (gr.next()) {
        // Add employee to the list
        employees.push(gr.sys_id.toString());
        
        // Recursively get their reports (if any)
        var subordinates = getEmployeesUnderManager(gr.sys_id);
        employees = employees.concat(subordinates);
    }
    
    return employees;
}

// Example usage (replace with the actual manager sys_id)
var managerSysId = manager_user_id;
var employeeList = getEmployeesUnderManager(managerSysId);

// Output the list of all employees (you can use this as needed, like logging or returning)
gs.info('Employees under manager: ' + employeeList.join(', '));

To help others (and for me to gain recognition for my efforts), please mark this response correct by clicking on Accept as Solution and/or Kudos.

  Thanks, Robbie

Eric145 · ‎02-28-2025

Thanks for the reply Robbie.

I did try your script in my DEV instance and replaced the sysID at the top with one in my own sys_user table.

And that script did output a list of the employees and (if applicable) the employees, employees.

I get the angle of attack you are going for here and I am familiar with User Criteria in ServiceNow, but I am struggling to wrap my head around how i could take your script and have the user criteria check dynamically. Your script is currently checking based on a hard-coded sysID.

Also, how would I accomplish this by dynamically checking the submitter against the employee they are trying to request the PIN for? Especially since the catalog item form doesn't even know who the employee is beforehand prior to loading the form. You have to get into the form to actually tell it who the employee is you are trying to get a PIN for. At that point you've already crossed the threshold of form access.

Nishant8 · ‎03-01-2025

Hello @Eric145, Is this necessary to show all the employees and then validate whether right manager is requesting the PIN? Can't the list be limited to show the employees for the manager who is submitting the request? You can make Employee variable mandatory and can show meaningful message with help of UI policy if this field doesn't have any value and can get rid of other variables, if just created for validation purpose. for. e.g.

- For somebody who is not the manager, this list will be empty and item can't be submitted

- If submitter is manager or manager of manager etc, then list will show the related records and item can be submitted successfully

I haven't tried, but, I believe, with help of a Script Include, we can return the respective users and the same SI can be called in Employee advanced reference qualifier.

Aforesaid is just a thought from my side; with this approach too (you shared initially), we can validate reactively, but you may have to write combination of Client Script and Script Include