Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Can anyone explain the Read ACL on sys_journal_field installed by Human Resources: Core?

Steve Arnold3
Tera Contributor

‎08-20-2019 10:10 AM

We recently installed the HR Service Delivery plugins in our production environment, and noticed that an ACL it created has broken our SnowMirror replication of the sys_journal_field table. We're working with the vendor on it, but I wanted to see if anyone could explain the ACL to me. Looking at a personal developer instance, the ACL is identical to what is in our production instance, so I know we didn't modify it in any way. Here are the particulars (screen shot attached):

Type: record

Operation: read

Name: sys_journal_field

Script:

answer = getJournalReadAnswer();

function getJournalReadAnswer() {
	if (!current.name.startsWith("sn_hr_core"))
		return false;
	
	var impersonateCheck = new sn_hr_core.hr_CoreUtils().impersonateCheck();
	if (impersonateCheck)
		return false;

	var roles = new hr_Utils();
	if (roles.checkUserHasRole("sn_hr_core.admin"))
		return true;
	else
		return false;
}

From what I can tell, the ACL isn't stopping us from accessing journal entries directly in records that are in non-HR tables, but it seems like the return statement on line 5 should be true instead of false...unless I'm just crazy. If I, having both admin and sn_hr_core.admin roles, go directly to sys_journal_field.list, I see get the security constraints message. I am able to see entries for tables starting with sn_hr_core tables, but the rest are restricted.

Any thoughts on this (the ACL, not me being crazy)?

Labels:
Preview file
47 KB
Preview file
97 KB
0 Helpfuls
  • 1,693 Views
6 REPLIES 6

Steve Arnold3
Tera Contributor

‎09-10-2019 09:06 AM

For those curious, SN has opened a problem record for this issue (PRB1359281) as it is can be reproduced in Madrid and New York OOB. They did provide us this, when I asked for a workaround:

"The workaround is updating the HR ACL to return true for admin, instead of false, if the table does not belong to HR."

Once we develop this workaround and test it, I will post back our script.

0 Helpfuls

Steve Arnold3
Tera Contributor

‎09-20-2019 10:08 AM

Here is the updated ACL script we received from support as a workaround:

answer = getJournalReadAnswer();

function getJournalReadAnswer() {
	if (!String(current.name).startsWith("sn_hr_core"))
		return gs.hasRole('admin'); 
	
	var impersonateCheck = new sn_hr_core.hr_CoreUtils().impersonateCheck();
	if (impersonateCheck)
		return false;

	var roles = new hr_Utils();
	if (roles.checkUserHasRole("sn_hr_core.admin"))
		return true;
	else
		return false;
}
0 Helpfuls