- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2024 04:26 AM
Hi All,
I have a requirement that necessitates the restriction of user permissions, including those of administrators, with the exception of the "security_admin" role. The objective is to prevent all users, aside from the "security_admin," from having the ability to remove users from any group classified as an "entitlement" type.
Below configurations has been done to achieve this requirement
- Modified delete ACL (OOB) on sys_user_grmember table
- Role: user_admin
- Condition: Group Type is not Entitlement
- Admin Override: False
- Created new delete ACL on sys_user_grmember table
- Role: security_admin
- Condition: Group Type is Entitlement
- Admin Override: False
But its not working admin or user_admin can remove users from entitlement group.
Could anyone provide insight into what might be missing from my current setup? Any guidance on this matter would be greatly appreciated.
Please note that the solution must be confined to Access Control Lists (ACLs). Modifications to Business Rules (BR) or List Controls are not permissible for this scenario.
Thank you in advance for your assistance.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2024 07:50 AM
Thanks everyone for all your responses.
There is another OOB ACL in HR scope where admin override was checked, when I unchecked, it worked.
Initially I thought since the scope is different and conditions are not matching it will not impact but somehow it impacted.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2024 04:42 AM
Deactivate OOB Delete ACL and keep only custom delete ACL active and see if that works ? Try to check this in new browser or clear cache and check.
Regards,
Musab
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2024 05:16 AM
Hi @Musab Rasheed ,
Even after deactivating OOB ACL its not working
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2024 04:45 AM
Hi @SM24 try Enabling ACL debugging can help identify which ACLs are being applied and troubleshoot any issues. https://docs.servicenow.com/bundle/washingtondc-platform-security/page/administer/contextual-securit...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2024 05:00 AM
Group type is dotwalked from 'group' right? In that case it's a list field and you should try it with 'group type does not contain entitlement'. Can you check if it works with that?
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
