Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

script to scan ACL with empty conditions, script and roles

Go to solution
harikcm
Giga Contributor

‎11-03-2023 06:37 AM

Hello Community,

I need a background script to query the ACLs which doesn't have any condition, script or Roles.

 

I got my script working for Conditions and Script but roles part I'm unable to find a way.

 

Did anyone did this already?

0 Helpfuls
  • 2,088 Views
1 ACCEPTED SOLUTION

Go to solution
AnveshKumar M
Tera Sage
Tera Sage

‎11-03-2023 06:13 PM

Hello @harikcm 

 

ACL script and conditions are defined in the ACL record (sys_security_acl table) itself but the roles are defined in separate table called sys_security_acl_role. To query all 3 empty checks ACLs, you can use the following script.

 

 

 

var aclGr = new GlideRecord("sys_security_acl");

 

aclGr.addEncodedQuery("scriptISEMPTY^conditionISEMPTY"); //Script and Condition is empty

 

aclGr.addActiveQuery();

 

aclGr.query();

 

while(aclGr._next()){

 

   aclRoleGr = new GlideRecord("sys_security_acl_role");

 

   aclRoleGr.addQuery("sys_security_acl", aclGr.sys_id);

 

   aclRoleGr.query();

 

   if(!aclRoleGr._next()){

 

      gs.print(aclGr.sys_id);

 

   }

 

}

 

 

 

Please mark my answer helpful and accept as solution if it helped you 👍

Thanks,
Anvesh

View solution in original post

7 REPLIES 7

Go to solution
Marco0o1
Tera Sage

‎11-03-2023 12:14 PM

Hi @harikcm :

 

Use this script, I run i BG and take some time to run:

 

var aclGR = new GlideRecord("sys_security_acl");
aclGR.addActiveQuery();
aclGR.query();

while(aclGR.next()){

    var aclRolesGR = new GlideRecord("sys_security_acl_role");
    aclRolesGR.addQuery("sys_security_acl", aclGR.getUniqueValue());
    aclRolesGR.query();
    if(!aclRolesGR.next()){
        //This ACL dont have assigned Role
        gs.print("The ACL: " + aclGR.name + " " + aclGR.operation + " dont have role assigned")
    }

}

I can't run in my dev instance because I have the CSM plugin that fill at least 1 rol "snc_internal or snc_external" on the ACLs. But that should work for you.

 

Hope that help you.

Go to solution
harikcm
Giga Contributor
In response to Marco0o1

‎11-03-2023 07:10 PM

@Marco0o1 This gave me ACLs with script and conditions not empty. Thanks for the response.

0 Helpfuls

Go to solution
Harish Bainsla
Kilo Patron
Kilo Patron

‎11-03-2023 04:57 PM

try this

var aclGR = new GlideRecord("sys_security_acl");
aclGR.addActiveQuery();
aclGR.query();

while (aclGR.next()) {
var hasRole = hasRoles(aclGR);
var hasCondition = !gs.nil(aclGR.condition);
var hasScript = !gs.nil(aclGR.script);

if (!hasRole && !hasCondition && !hasScript) {
gs.print("The ACL: " + aclGR.name + " " + aclGR.operation + " doesn't have roles, condition, or script assigned.");
}
}

function hasRoles(acl) {
var aclRolesGR = new GlideRecord("sys_security_acl_role");
aclRolesGR.addQuery("sys_security_acl", acl.getUniqueValue());
aclRolesGR.query();
return aclRolesGR.hasNext();
}

HarishBainsla_0-1699055852048.png

 

Go to solution
AnveshKumar M
Tera Sage
Tera Sage
In response to Harish Bainsla

‎11-03-2023 06:13 PM

Hi @harikcm 

ACL script and conditions are defined in the ACL record (sys_security_acl table) itself but the roles are defined in separate table called sys_security_acl_role. To query all 3 empty checks ACLs, you can use the following script.

 

var aclGr = new GlideRecord("sys_security_acl");

aclGr.addEncodedQuery("scriptISEMPTY^conditionISEMPTY"); //Script and Condition is empty

aclGr.addActiveQuery();

aclGr.query();

while(aclGr._next()){

   aclRoleGr = new GlideRecord("sys_security_acl_role");

   aclRoleGr.addQuery("sys_security_acl", aclGr.sys_id);

   aclRoleGr.query();

   if(!aclRoleGr._next()){

      gs.print(aclGr.sys_id);

   }

}

 

Please mark my answer helpful and accept as solution if it helped you 👍

Thanks,
Anvesh