NOTE: MY POSTINGS REFLECT MY OWN VIEWS AND DO NOT NECESSARILY REPRESENT THE VIEWS OF MY EMPLOYER, ACCENTURE.
In Past, I was working on 'Geneva' instance to understand the ACLs for "HR" application.
I happen to see one of the "ACL"on hr_profile (hr_profile.*) table was using "root_rule" variable to evaluate an access per field level. This was really eye catching since I had not come across it and I started exploring what exactly it does in ACLs.
So now, let me walk you through this root_rule object and how we can leverage its functionality.
- What is root_rule?
root_rule points to the element or an object against which ACL is getting evaluated.
e.g., if we have ACLs on incident.short_description, then root_rule returns or stores incident.short_description as a value. If we have ACL configure at ROW level for table Incident, then root_rule will return incident as the value.
We can check this by adding gs.print(root_rule) statements in ACL script part, and then turning on the security debugger, It will be printed as (incident.short_description);
- What could be the potential uses of this root_rule variable?
If we have a table with hundreds of different fields, and if some set of fields requires different access control, then we will require to configure those many ACLs depending on the requirement. With the help of the root_rule, we can configure ACLs as table.* . Asterisk evaluate the ACLs on each fields (Unless field have its own ACL). Now table.* ACL gets evaluated at each field and while it does so, root_rule will store the value of the field against which ACL is currently being evaluated. With the help of this single ACL and root_rule variable, we can control the access at field level as per our choice and requirement.
- How to check the root_rule functionality?
Configure a table with name mobile_device and fields are like model, display_size, resolution etc.
- Configure an ACL mobile_device.*
- Put gs.print("Root Rule is " + root_rule) in script section of the ACL
- Turn of security debug on
- Open the records in the mobile_device table so that ACL gets evaluated
- We will see print statements like 'Root Rule is mobile_device.model' , 'Root Rule is mobile_device.display_size', 'Root Rule is mobile_device.resolution' being printed.
Now if we require to make conditional access to these fields based on some criteria, then we can parse the root_rule in script section to check the field and then can provide an access.
Link to OOB ACL on hr_profile table for reference
https://instance.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=05ae15fbdf103100b5157a0d3df263ca
Note : This root_rule variable is not listed and documented anywhere, somehow, it is being used in some of the OOB ServiceNow ACLs
2 Comments
