when we are using scripts instead of acl

minnu
Kilo Contributor

‎08-24-2017 02:35 AM

in the access control list, we can control users permissions ok but@ my question is when we are using in scripts what it does?

0 Helpfuls
  • 1,873 Views
4 REPLIES 4

andrew_venables
ServiceNow Employee
ServiceNow Employee

‎08-24-2017 02:42 AM

Hi Polneni,



Not sure what you are asking but generally when scripts run they do not obey ACLs.



For example if you trigger a Business Rule that updates a record on a field after the user has submitted it, it does not matter whether they user has permissions to write to that field or not since the business rule runs as a special "system" level permissions that can do anything.



If you want your scripts to take into consideration the ACLs, then you should do something like current.canWrite() in your scripts and conditions.



Alternatively you can also explore GlideRecordSecure which works differently to the above and will obey ACLs when performing CRUD operations.



Hope this helps!



Andy


0 Helpfuls

kristian dimitr
Tera Guru

‎08-24-2017 02:43 AM

Hello Polneni,



You can use script in your ACL record if you want to specify more specific requirements and conditions.


For more information, please visit the wiki documentation: Using Access Control Rules - ServiceNow Wiki



Kristian!


0 Helpfuls

Karthik Reddy T
Kilo Sage

‎08-24-2017 02:45 AM

Hello Suman,



As of my knowledge we can restrict the use   by script instead of creation ACL,



But it's not a good practice. If you have encounter   any issue with ACL let me know.



Refer the below OOB Client script in theIncident table


(BP) Hide Choice - Closed


Karthik Reddy T.
ServiceNow Commnunity MVP -2018 class.
0 Helpfuls

Paramahanns
Tera Expert

‎08-24-2017 03:24 AM

Hi Suman,



Access Control List (ACL) rules -
•is used to control what data users can access and how they can access it
•Each ACL rule specifies:â—¦ The object being secured
â—¦ The permissions required to access the object


•The system searches for ACL rules that match the object the user wants to access
•no matching ACL rules for the object? no problem - object does not require any additional security checks
•By default, the system provides ACL rules to restrict access to all database and personalization operations.
•Users with access to the security_admin role can:
â—¦ Create ACL rules to secure new objects
â—¦ Update existing ACL rules to grant or deny users access to objects based on their business requirements
â—¦ Debug ACL rules to determine why users cannot access certain objects'


•Evaluating ACL Rule Permission Requirements An ACL rule only grants a user access to an object if the user meets all of the permissions required by the matching ACL rules.
â—¦ The condition must evaluate to true.
â—¦ The script must evaluate to true or return an answer variable with the value of true.
â—¦ The user must have one of the roles in the required roles list. If the list is empty, this condition evaluates to true.
â—¦ The other matching ACL rules for the object type must evaluate to true.



I think you are asking about the Scripts that are present inside the ACL rules. Below is the scenario



Scneario- I want a Service Desk to update the closed incidents. Rest of then should them should not be able to update the closed incidents.


This is a script that can written in the script field.


answer = getAnswer();


function getAnswer() {


if(gs.hasRole('service_desk') //People have the Service Desk role if the ticket is closed or not allow to update the ticket.
{
return true;
}
else if (gs.hasRole("itil") && current.incident_state != 7) //People have the ITIL role and State is not closed allow to write in the ticket.
{
return true;
}


//return false by default so that people would not be able to update the ticket


return false;


}


so kind of complex conditions you can use glide scripts and gs property to evaluate true or false



Please mark as helpful or correct if it impacts.




Regards


Param


0 Helpfuls