The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Modifying ACL script

Go to solution
nealp_
Tera Contributor

‎04-22-2016 11:54 AM

On the CMS website users can access their own profile page, I need to have all the fields grayed out for anyone without admin role or higher … except "date format" & "Time Zone" fields - these users with any role can edit/update. Tried modifying ACL rule by adding 'itil' to only those 2 fields, however, it is not working.

The only thing I can see that could be causing an issue is script in access control of this user table --> " gs.hasRole('admin') || gs.getProperty('glide.sm.default_mode') == 'allow' "

I'm not 100% sure if this is the issue? But if it is, then is there a way to modify that script so 'date_format' & 'time_zone' can be changed by anyone (itil, itil_inquiry_only'), and others still grayed out unless you have 'admin' role?

0 Helpfuls
  • 3,000 Views
1 ACCEPTED SOLUTION

Go to solution
Brian Dailey1
Kilo Sage
In response to nealp_

‎04-22-2016 02:51 PM

Hi Neal,



Ok, a number of things...



  1. You need a table-level ACL should be for ([sys_user].*) to require the admin role by default on this table's fields... not ([*].--none--)...
    I wouldn't be adding the itil role to the OOB write ACL for the global table ([*]), this could cause you problems elsewhere...
  2. You need a table-write ([sys_user].--none--) ACL setup for itil, or they won't be able to update any field because of (1)...
  3. Your "[sys_user].time_zone" is set for the "Execute" operation instead of "Write", change this to "Write"...
  4. Your "[sys_user].time_zone" ACL looks ok, but probably is making no difference if you don't have the table-write setup for itil.


Please read through the wiki article on using ACLs here, it has some pretty good graphics (make sure to look them over) that describe how ACLs get evaluated:


Using Access Control Rules - ServiceNow Wiki




Thanks,


-Brian


View solution in original post

7 REPLIES 7

Go to solution
Brian Dailey1
Kilo Sage
In response to nealp_

‎04-22-2016 02:51 PM

Hi Neal,



Ok, a number of things...



  1. You need a table-level ACL should be for ([sys_user].*) to require the admin role by default on this table's fields... not ([*].--none--)...
    I wouldn't be adding the itil role to the OOB write ACL for the global table ([*]), this could cause you problems elsewhere...
  2. You need a table-write ([sys_user].--none--) ACL setup for itil, or they won't be able to update any field because of (1)...
  3. Your "[sys_user].time_zone" is set for the "Execute" operation instead of "Write", change this to "Write"...
  4. Your "[sys_user].time_zone" ACL looks ok, but probably is making no difference if you don't have the table-write setup for itil.


Please read through the wiki article on using ACLs here, it has some pretty good graphics (make sure to look them over) that describe how ACLs get evaluated:


Using Access Control Rules - ServiceNow Wiki




Thanks,


-Brian


Go to solution
nealp_
Tera Contributor
In response to Brian Dailey1

‎04-25-2016 09:30 AM

Thanks Brian, I made the appropriate change and it works as intended. I think some of the latest OOB updates to the sys_user had set *_none. Also, had to change the 'execute' to write on those fields to be able to write.


0 Helpfuls

Go to solution
Brian Dailey1
Kilo Sage
In response to nealp_

‎04-25-2016 11:23 AM

Great.   Glad it works.


0 Helpfuls