The CreatorCon Call for Content is officially open! Get started here.

Restricting access to Catalog item variable

Go to solution
prabhmeet
Giga Expert

‎01-31-2019 03:51 AM

Hi,

I have a catalog item where there is a reference variable Requested For to sys_user.

Requested for and some other variables are accessible to every user. I want that only the manager of user whose name is selected in Requested for field can enter values in 8 of the variables, which other users can see but not enter values.

What are ways by which I can achieve this?

1 if writing onChange catalog client script is correct way, then I will have to write it separately for all 8 variables.? Can someone help with the script?

2 if I write an ACL, Can someone help me what condition and script to write so it applies only on 8 variables of my catalog item.

Please help me on how can I do this.

Thanks

0 Helpfuls
  • 2,395 Views
1 ACCEPTED SOLUTION

Go to solution
Jagadeesh R1
Tera Expert
In response to prabhmeet

‎02-01-2019 05:19 AM

Hello ,

      I can give a demo script but not sure whether this will help.

 

    Create a onChange Client script on requested for field (Assuming the requested for field is empty on form load)

    

function onChange(control, oldValue, newValue, isLoading) {
if (isLoading || newValue == '') {
return;
}
var ga = new GlideAjax('GetManager');
ga.addParam('sysparm_name', 'GetMan');
ga.addParam('sysparm_user_id', newValue);

alert('Script Include');


ga.getXML(userInfoParse);

function userInfoParse(response){

var answer = response.responseXML.documentElement.getAttribute("answer");
alert(answer);
if(answer == g_user.userID){
g_form.setVisible('test',true);// you can make your variables visible here
}
else{
g_form.setVisible('test',false);
}


}

//Type appropriate comment here, and begin script below

}

 

 

 

Now create a Client Callable Script Include GetManager (Check Client Callabe field)

var GetManager = Class.create();
GetManager.prototype = Object.extendsObject(AbstractAjaxProcessor, {

GetMan : function(){
var retvalue ="";
var sn = this.getParameter('sysparm_user_id');

var manager = new GlideRecord('sys_user');
manager.addQuery('sys_id',sn);
manager.query();
if(manager.next())
retvalue = manager.manager.sys_id;

return retvalue;
} ,
type: 'GetManager'
});

 

View solution in original post

0 Helpfuls
9 REPLIES 9

Go to solution
Jagadeesh R1
Tera Expert
In response to Jagadeesh R1

‎02-01-2019 05:19 AM

Remove alerts in the client script I have provided

0 Helpfuls

Go to solution
prabhmeet
Giga Expert
In response to Jagadeesh R1

‎02-01-2019 10:11 AM

Hi Remalajagadeesh,

Thank you so much.

Please find my script below. it is setting the field as read-only even when i am impersonating as the requested for's manager. and the User access group is also not working.

I have 3 restrictions where read only needs to be false - 

-requested for's manager, requested for manager's manager, User access group.

Can you please point out my mistakes?

 

Script Include -

var RestrictAccessToUpdateFields = Class.create();
RestrictAccessToUpdateFields.prototype = Object.extendsObject(AbstractAjaxProcessor, {
getAccess: function() {

var obj ={};
obj.retvalue ='';
obj.mm = '';
obj.grp = '';
var a = this.getParameter('sysparm_user_id');
var manager = new GlideRecord('sys_user');
manager.addQuery('sys_id', a);
manager.query();
if(manager.next()){
obj.retvalue = manager.manager.sys_id;
obj.mm = manager.manager.manager.sys_id;
obj.grp =gs.getUser().isMemberOf('User Access Administration');

}
return JSON.stringify(obj);
},

type: 'RestrictAccessToUpdateFields'
});

 

Onchange CLient Script

var id = g_form.getValue('requested_for');//newValue

var ga = new GlideAjax('RestrictAccessToUpdateFields');
var a = g_user.getUser();

ga.addParam('sysparm_name','getAccess');
ga.addParam('sysparm_user_id',id);
ga.getXML(CallBack);

function CallBack(response)
{
var answer = response.responseXML.documentElement.getAttribute("answer");
var returneddata = JSON.parse(answer);
if(returneddata.retvalue == g_user.userID || returneddata.mm == g_user.userID || returneddata.grp == true ){
g_form.setReadOnly('updated_first_name', false);
g_form.setReadOnly('updated_last_name', false);
}
else{
g_form.setReadOnly('updated_first_name', true);
g_form.setReadOnly('updated_last_name', true);
}
}
}

0 Helpfuls

Go to solution
Sonal10
Kilo Expert

‎01-31-2019 04:28 AM

If I understand the requirement correctly:

Are you looking at restricting this form in a way that users cannot raise for themselves, they can only raise for the staff who directly report to them?

I would probably block the requested_for field such that, it cannot be the same as the current user (logged in).

And restrict the selection of users to only those whose Line manager = current logged in user.

 

This should save you the efforts of writing any further scripts hopefully.

I would even look to make the form available to only those users who have a manager role (if you have one) or to those who exist as a line manager in the sys_user table.

I am not a developer so sorry cannot help with scripts.. but if the concept makes sense, I am sure we have lots of experts who can help you achieve this.

0 Helpfuls

Go to solution
prabhmeet
Giga Expert
In response to Sonal10

‎01-31-2019 05:38 AM

Hi Sonal,

I am also new to Servicenow so I am not good at scripting. What I have been asked to do is, catalog item is only available to few users - mangers, user access group and users whose title is consultants- that part of scripting I have done.

Now requested for is open to all to choose the user's name.

According to the name selected, only their managers and user access group can access the 8 update fields.

Rest of the fields are read only and they show the requested for user's current details.

 

So I am struggling with the scripting part that how to allow access to user's manager and user access group to the 8 update fields

 

0 Helpfuls

Go to solution
Sonal10
Kilo Expert
In response to prabhmeet

‎01-31-2019 08:06 AM

Okay, let me see if I have still got this right. I found it very interesting hence trying to help!

Please correct me if I am wrong:

SCENARIO 1

1. So you are talking about a form on the Service Portal or Service Console, which is already restricted to a specific list of people.

2. Requested_for field on this form opens a dropdown selection and anyone from the sys_user table can be selected.

3. You have8 other variables on this form that need to be updated before submitting  - That should be only accessible to the manager of the "Requested_for" OR the User Access group members 

Proposed solution:

If All of the three above are correct, then my understanding is that you have already restricted who can access this form (managers & User access group), who would be the only people that can update those 8 variables for the selected "Requested_for"! 

So all you have to do is prevent these Managers & UAG from selecting anyone who is not their reportee.. if that makes sense!

On Requested for I would put a reference qualifier as below, in this case, you will not need to restrict those 8 variables...

find_real_file.png

 

 

 

SCENARIO 2:

1. So you are talking about a form on the Service Portal or Service Console, which is already restricted to a specific list of people.

2. Requested_for field on this form opens a dropdown selection and anyone from the sys_user table can be selected.

3. You have 8 other variables on this form that need to be updated after the ticket has been raised - That should be only accessible to the manager of the "Requested_for" OR the User Access group members 

If All of the three above are correct, I think you will need to write a Script Include as suggested by Jagadeesh, maybe someone can help you with the exact lines of code.

 

Apologies if this is not what you are looking for - I normally try to achieve things with a minimum coding - as I am not a developer. But I appreciate there are things you just cannot achieve without a script, so good luck.

Regards,

Sonal

 

Preview file
19 KB
0 Helpfuls