What can you tell me about ACL?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-01-2024 01:47 AM
Assuming the conditions below.
(1) Users are divided into IT or factory positions.
(2) The incident table is shared, but data created by different positions cannot be viewed.
If we create the following ACL, we can view records created by ourselves, but we cannot view incident records created by another user who belongs to the same group.
script:
(function() {
var userRole = gs.getUser().getRoles();
var creator = new GlideRecord('sys_user');
creator.get(current.sys_created_by);
if (userRole.indexOf('it_role') > -1 && creator.hasRole('it_role')) {
answer = true;
} else if (userRole.indexOf('factory_role') > -1 && creator.hasRole('factory_role')) {
answer = true;
} else {
answer = false;
}
})();
How can I isolate the problem in this case?
What we have already tried
Set the table-level ACL for read permission on the incident table to inactive.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-01-2024 04:49 AM
So if I understand correctly, the incident table is used for all, but only 'it_role' people are allowed to see the incidents created by 'it_role' people and the same for the factory role? It will never happen that some one with the it role creates an incident that needs to be solved by the factory role or vice versa?
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-01-2024 06:00 PM
Thank you for your reaction.
Yes, you are correct in your understanding as you said.' It does not occur that a person in 'it_role' creates a record for a factory role or vice versa.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-01-2024 05:03 AM
And just to get you started in the right direction: sys_created_by does not contain the sys_id of the user record. It's a string value, so you need to update your script there as well.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-01-2024 07:15 PM
Thank you for pointing this out. You are correct.
I have modified the script as follows, but it still does not do what I want to achieve.
(function() {
var userRole = gs.getUser().getRoles();
var creator = new GlideRecord('sys_user');
creator.addQuery('user_name', current.sys_created_by);
creator.query();
if (creator.next()) {
if (userRole.indexOf('it_role') > -1 && creator.hasRole('it_role')) {
answer = true;
} else if (userRole.indexOf('factory_role') > -1 && creator.hasRole('factory_role')) {
answer = true;
} else {
answer = false;
}
}
})();
For example, when I log in as an IT user, I would like to be able to see records created by other IT users,
but currently only records created by myself are displayed.
(I have applied a filter to reproduce this, but in reality I have selected ALL.)