- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2018 05:17 AM
I have a new widget with an sn-record-picker that loads sys_user:
<sn-record-picker on-change="c.changed()" field="c.data.profile"
table="'sys_user'" display-field="'name'" value-field="'user_name'"
default-query="active=true" search-fields="'name'" page-size="5"></sn-record-picker>
Works perfectly for admin but when I try to run the widget using a regular user (impersonate another user) the sn-record-picker list is empty.
Any idea on where and what to change in order to allow everybody to be able to fix the issue?
Thank you.
Solved! Go to Solution.
- Labels:
-
Service Portal Development
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2018 07:03 AM
Whether or not it's a security breach is completely up to the organization you're working in. Typically, you do need to be very careful around the user table for these reasons. The answer to your problem will need to work within the security guidelines of your organization, of course but the technical solution to your problem remains the same...you need to open up read access to those records/fields on the 'sys_user' table that are needed to allow users to view the necessary data in the record picker.
Please mark my answer above as correct if I've answered your question. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2018 05:32 AM
If it's empty for a regular user then it's probably an ACL issue on that table. You need to adjust the 'read' ACLs (or potentially the 'user query' business rule on the sys_user table) to allow users to see other user records. You can confirm if this is the issue by navigating to the user table as the user in question to see if they can view the user records in a standard list.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2018 06:25 AM
I impersonate a user and in the filter navigator I use "sys_user.list"; I'm able to see the "user ID" for the person that I'm impersonating but not for somebody else. I assume that is a "read" ACL that I have to modify (or add?).
I go back to admin, "elevate role" -> security_admin; I go to sys_user.list -> security rules and filter the results based on the "Operation" ("read" in this case). There are lots of them.
How do I add or modify an ACL so that I allow my widget (sn-record-picker) to read the "user ID" field from sys_user table?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2018 06:58 AM
I know how to create an ACL to give all users "read" only to "sys_user.UserID" field. Would this not be a security breach?
After I create the above I can see all userIDs from the system in the widget/sn-record-picker.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2018 07:03 AM
Whether or not it's a security breach is completely up to the organization you're working in. Typically, you do need to be very careful around the user table for these reasons. The answer to your problem will need to work within the security guidelines of your organization, of course but the technical solution to your problem remains the same...you need to open up read access to those records/fields on the 'sys_user' table that are needed to allow users to view the necessary data in the record picker.
Please mark my answer above as correct if I've answered your question. Thanks!
