Widget sn-record-picker with sys_user

Go to solution
nic_2017
Mega Contributor

‎10-03-2018 05:17 AM

I have a new widget with an sn-record-picker that loads sys_user:

<sn-record-picker on-change="c.changed()" field="c.data.profile"
table="'sys_user'" display-field="'name'" value-field="'user_name'"
default-query="active=true" search-fields="'name'" page-size="5"></sn-record-picker>

Works perfectly for admin but when I try to run the widget using a regular user (impersonate another user) the sn-record-picker list is empty.

Any idea on where and what to change in order to allow everybody to be able to fix the issue?

Thank you.

Labels:
0 Helpfuls
  • 1,853 Views
1 ACCEPTED SOLUTION

Go to solution
Mark Stanger
Giga Sage
In response to nic_2017

‎10-03-2018 07:03 AM

Whether or not it's a security breach is completely up to the organization you're working in.  Typically, you do need to be very careful around the user table for these reasons.  The answer to your problem will need to work within the security guidelines of your organization, of course but the technical solution to your problem remains the same...you need to open up read access to those records/fields on the 'sys_user' table that are needed to allow users to view the necessary data in the record picker.

Please mark my answer above as correct if I've answered your question.  Thanks!

View solution in original post

0 Helpfuls
7 REPLIES 7

Go to solution
nic_2017
Mega Contributor
In response to Mark Stanger

‎10-03-2018 07:13 AM

One more question Mark: it would be possible to modify the ACL that I just created so that if the request comes from my widget the read is allowed? if the request comes from any other place the read would not work?

The "offboarding" scope (the scope of the widget) has a role and 4 ACLs. I didn't modify these.

So the question would be: how do I use in the "read" ACL that I just created for sys_user, the role and the ACLs that I have from "offboarding" scope?

0 Helpfuls

Go to solution
Mark Stanger
Giga Sage
In response to nic_2017

‎10-03-2018 08:06 AM

I just checked a couple of possibilities that could be used with a 'before query' business rule if the URL is formatted just right, but unfortunately, it's just not a possibility.  You just have to adjust the ACLs for that table globally.

0 Helpfuls

Go to solution
Priyanka136
Mega Guru

‎10-03-2018 07:35 AM

Hi nic_2017,

Refer the below link :-

https://community.servicenow.com/community?id=community_article&sys_id=a27e9ad7db186388feb1a851ca961...

Please mark it Correct or Helpful , if it works based on impact...!!!!

Warm Regards,

Priyanka

find_real_file.png

www.dxsherpa.com

Preview file
5 KB
0 Helpfuls