UserCriteria - Server side script evaluation

Go to solution
Jared Healy2
Kilo Expert

‎10-14-2015 08:21 AM

This new feature seems to be very poorly documented in the wiki. I'm hoping someone out there has figured this out or gotten information on it.

Wiki article: http://wiki.servicenow.com/index.php?title=User_Criteria#gsc.tab=0

The only other thing that seems like it might be related: http://wiki.servicenow.com/index.php?title=CriteriaEvaluator#gsc.tab=0

The use case is custom CMS pages. How do we evaluate user criteria in Jelly to determine if a user can see a particular catalog item or category? It seems like the CriteriaEvaluator does something like that but I'd have to write my own wrapper for it to loop through and add all the items and then test a match to the current user. Is there already a script include or evaluation that I can leverage?

Where I am seeing the issue is utilizing the below code results in evaluating to true for everything even though on the native catalog page they can't see the records.

var ci = GlideappCatalogItem.get(featured_item.sys_id);


if(ci.isVisibleStandalone() && ci.canView()){


         // Do stuff


}

Are there new functions or classes that leverage the User Criteria?

The second issue/question I have is around the actual security of this method. From my testing, it appears that if you have a direct link to an item, you can still navigate to it and submit it. The User Criteria "security" appears to only prevent you from displaying in the catalog. Now since it's internal maybe there is no issue, but lets say you had an existing item that you wanted to further restrict but users had book marked it. They could still navigate to it and submit it. And this is all SN supported bookmarks using their side bar since you can drag catalog items there.

Further comment / complaint: There is no debug capability. Every other security method has debug around it where you can at least generate some output to see what is blocking you when you impersonate a user. For User Criteria there is nothing. For larger organizations or MSP you could easily have a very large rule table. There's no way to systematically trouble shoot User Criteria.

0 Helpfuls
  • 3,446 Views
1 ACCEPTED SOLUTION

Go to solution
Daniel Pettet
ServiceNow Employee
ServiceNow Employee

‎11-27-2015 08:14 AM

I experienced this problem today. The tricky bit is the context.



When calling the function from g:evaluate or a script include it won't work. When running it within a JEXL expression it will.


JEXL is the ${...} or $[...] stuff (depending on phase 1 and 2).



Eg.


<j:while test="${req.next()}">

   <j:if test="${GlideappCatalogItem.get(req.sys_id).canView() == true}">

       ${req.name} : ${req.short_description}

   </j:if>

</j:while>


This works in Fuji.



NOTE that "available for" and "not available for" options work a little strangely. I believe that "not available for" should only be used in combination with "available for". If you are testing something out then always work with a simple "available for" record first.


View solution in original post

7 REPLIES 7

Go to solution
danpatino
Tera Expert
In response to danpatino

‎12-04-2015 08:04 AM

Actually the issue was with using a list content block, not the GlideappCatalogItem command.   I had to convert the content list to a GlideRecord in the parent dynamic block, then <j:while> through the results to show Record Producers to users in the public role.   Weird issue....


0 Helpfuls

Go to solution
quiksilver
Mega Guru
In response to danpatino

‎08-16-2016 08:31 AM

Has anyone tried User Criteria in Service Portal?



Where in Pages and widgets visibility will be based on User Criteria?



Thanks in Advance



Broderick


0 Helpfuls

Go to solution
sarfraz3
Mega Expert
In response to Daniel Pettet

‎02-05-2017 10:56 PM

Hi Daniel,



I am trying to use the same logic but if I put the JEXL I am not able to view any item being an admin. Which means i'm not able to go inside the loop. Can you please help


0 Helpfuls