Secure User Record

Mimi Edet · ‎10-10-2024

How do I restrict users from not being able to edit any user record except their own unless they have the admin or user_admin role so that user records and preferences are secured

Robbie · ‎10-10-2024

Hi @Mimi Edet,

Best practice would be to follow the same logic applied to the majority of fields on the sys_user table - ACL's.

You'll probably notice, OOB (Out Of Box), users with the 'itil' role can change another users first name for example, but not their user ID.

As we also want to restrict this to admin, user_admins and only the users themselves, we can easily achieve this by updating the 'write' ACL's on that field and table by adding a little script to check for this similar to below.

Please note, OOB the 'admin overrides' checkbox is normally checked meaning the admin ability is already taken care of.

Therefore, we only need to handle the logged in user and user_admins.

To implement this:

Elevate your role to 'security admin' and type 'Access Control' into the Navigation menu

Filter the ACL's similar to below:

Name starts with sys_user and name contains first_name or name contains last_name - these are the 2 ACL's that need to be updated with the script

Please note, depending on what apps you have installed on your instance such as Customer Service or HR, you may see multiple ACL entries entries as shown below - but you just want the 'Global' ACL for first_name and last_name

Here's the script:

checkLoggedInUser();

function checkLoggedInUser() {
    if (gs.getUserID() == current.sys_id || gs.getUser().hasRole('user_admin')) {
        answer = true;
    } else {
        answer = false;
    }
}

Here's a screen shot for the first_name. Repeat this for the last_name ACL.

To be able to add the scripting at the bottom, you'll need to check the 'Advanced' checkbox at the top of the form

To help others (or for me to help you more directly), please mark this response correct by clicking on Accept as Solution and/or Kudos.

 Thanks, Robbie