UI Policy based on a role

Allison3 · ‎01-29-2018

I have a UI policy that I'm need to run unless you have a certain role. I've created a change_manager role who has itil access. We have a UI policy that makes change fields read-only once that change is closed. I'm wanting the user with the change_manager role to be excluded from the UI policy so the fields aren't read-only for them.

I'm assuming I would add something in the advanced script of the UI policy but Ii'm not sure how to exclude it.

adamjgreenberg · ‎01-29-2018

If the UI Policy has ITIL access, then the ITIL role given to the change_manager will be allowed.

As far as I know there is no way to exclude a permission that is inclusive based on a specific role.

For instance, Admin has rights across the board. You could not stop an Admin role from adding users based on the fact that they are admin.

You could however remove ITIL from the change_manager and then assign the ITIL role specifically as you see fit.

Allison3 · ‎01-30-2018

Couldn't I add something to the advanced script. For example maybe add something to the Execute if false role = change_manager

This way it will work for anyone who doesn't have that role?

adamjgreenberg · ‎01-30-2018

Allison,

You might be able to get it working with something like execute=false for the UI policy where g_user.hasRoleExactly('change_manager')

I'm not a script expert by any means so this will take some extra investigation, but I suppose this could work.