Restricting access to Catalog item variable

prabhmeet · ‎01-31-2019

Hi,

I have a catalog item where there is a reference variable Requested For to sys_user.

Requested for and some other variables are accessible to every user. I want that only the manager of user whose name is selected in Requested for field can enter values in 8 of the variables, which other users can see but not enter values.

What are ways by which I can achieve this?

1 if writing onChange catalog client script is correct way, then I will have to write it separately for all 8 variables.? Can someone help with the script?

2 if I write an ACL, Can someone help me what condition and script to write so it applies only on 8 variables of my catalog item.

Please help me on how can I do this.

Thanks

Jagadeesh R1 · ‎02-01-2019

Hello ,

I can give a demo script but not sure whether this will help.

Create a onChange Client script on requested for field (Assuming the requested for field is empty on form load)

function onChange(control, oldValue, newValue, isLoading) {
if (isLoading || newValue == '') {
return;
}
var ga = new GlideAjax('GetManager');
ga.addParam('sysparm_name', 'GetMan');
ga.addParam('sysparm_user_id', newValue);

alert('Script Include');

ga.getXML(userInfoParse);

function userInfoParse(response){

var answer = response.responseXML.documentElement.getAttribute("answer");
alert(answer);
if(answer == g_user.userID){
g_form.setVisible('test',true);// you can make your variables visible here
}
else{
g_form.setVisible('test',false);
}

}

//Type appropriate comment here, and begin script below

}

Now create a Client Callable Script Include GetManager (Check Client Callabe field)

var GetManager = Class.create();
GetManager.prototype = Object.extendsObject(AbstractAjaxProcessor, {

GetMan : function(){
var retvalue ="";
var sn = this.getParameter('sysparm_user_id');

var manager = new GlideRecord('sys_user');
manager.addQuery('sys_id',sn);
manager.query();
if(manager.next())
retvalue = manager.manager.sys_id;

return retvalue;
} ,
type: 'GetManager'
});

View solution in original post

Jagadeesh R1 · ‎02-01-2019

Remove alerts in the client script I have provided

prabhmeet · ‎02-01-2019

Hi Remalajagadeesh,

Thank you so much.

Please find my script below. it is setting the field as read-only even when i am impersonating as the requested for's manager. and the User access group is also not working.

I have 3 restrictions where read only needs to be false -

-requested for's manager, requested for manager's manager, User access group.

Can you please point out my mistakes?

Script Include -

var RestrictAccessToUpdateFields = Class.create();
RestrictAccessToUpdateFields.prototype = Object.extendsObject(AbstractAjaxProcessor, {
getAccess: function() {

var obj ={};
obj.retvalue ='';
obj.mm = '';
obj.grp = '';
var a = this.getParameter('sysparm_user_id');
var manager = new GlideRecord('sys_user');
manager.addQuery('sys_id', a);
manager.query();
if(manager.next()){
obj.retvalue = manager.manager.sys_id;
obj.mm = manager.manager.manager.sys_id;
obj.grp =gs.getUser().isMemberOf('User Access Administration');

}
return JSON.stringify(obj);
},

type: 'RestrictAccessToUpdateFields'
});

Onchange CLient Script

var id = g_form.getValue('requested_for');//newValue

var ga = new GlideAjax('RestrictAccessToUpdateFields');
var a = g_user.getUser();

ga.addParam('sysparm_name','getAccess');
ga.addParam('sysparm_user_id',id);
ga.getXML(CallBack);

Sonal10 · ‎01-31-2019

If I understand the requirement correctly:

Are you looking at restricting this form in a way that users cannot raise for themselves, they can only raise for the staff who directly report to them?

I would probably block the requested_for field such that, it cannot be the same as the current user (logged in).

And restrict the selection of users to only those whose Line manager = current logged in user.

This should save you the efforts of writing any further scripts hopefully.

I would even look to make the form available to only those users who have a manager role (if you have one) or to those who exist as a line manager in the sys_user table.

I am not a developer so sorry cannot help with scripts.. but if the concept makes sense, I am sure we have lots of experts who can help you achieve this.

prabhmeet · ‎01-31-2019

Hi Sonal,

I am also new to Servicenow so I am not good at scripting. What I have been asked to do is, catalog item is only available to few users - mangers, user access group and users whose title is consultants- that part of scripting I have done.

Now requested for is open to all to choose the user's name.

According to the name selected, only their managers and user access group can access the 8 update fields.

Rest of the fields are read only and they show the requested for user's current details.

So I am struggling with the scripting part that how to allow access to user's manager and user access group to the 8 update fields

Sonal10 · ‎01-31-2019

Okay, let me see if I have still got this right. I found it very interesting hence trying to help!

Please correct me if I am wrong:

SCENARIO 1

1. So you are talking about a form on the Service Portal or Service Console, which is already restricted to a specific list of people.

2. Requested_for field on this form opens a dropdown selection and anyone from the sys_user table can be selected.

3. You have8 other variables on this form that need to be updated before submitting - That should be only accessible to the manager of the "Requested_for" OR the User Access group members

Proposed solution:

If All of the three above are correct, then my understanding is that you have already restricted who can access this form (managers & User access group), who would be the only people that can update those 8 variables for the selected "Requested_for"!

So all you have to do is prevent these Managers & UAG from selecting anyone who is not their reportee.. if that makes sense!

On Requested for I would put a reference qualifier as below, in this case, you will not need to restrict those 8 variables...

SCENARIO 2:

1. So you are talking about a form on the Service Portal or Service Console, which is already restricted to a specific list of people.

2. Requested_for field on this form opens a dropdown selection and anyone from the sys_user table can be selected.

3. You have 8 other variables on this form that need to be updated after the ticket has been raised - That should be only accessible to the manager of the "Requested_for" OR the User Access group members

If All of the three above are correct, I think you will need to write a Script Include as suggested by Jagadeesh, maybe someone can help you with the exact lines of code.

Apologies if this is not what you are looking for - I normally try to achieve things with a minimum coding - as I am not a developer. But I appreciate there are things you just cannot achieve without a script, so good luck.

Regards,

Sonal