Access Control (sys_user) - Cannot see their own user record in Assigned To
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
16 hours ago
Created a role called 'itil_limited' that restricts the visibility of records for users who have this role.
I created this ACL to limit access to user records in the sys_user table, except for users in their own groups. This means they can pass tickets to members of their assignment group.
However, they cannot see their own user record in the Assigned To field, so they cannot assign tickets to themselves.
This is my script:
Type: record
Decision Type: Deny Unless
Operation: read
Name: User (sys_user)
Role: None
Script Condition:
(function() {
var user = gs.getUser();
// Allow full access if NOT itil_limited
if (!user.hasRole('itil_limited')) {
answer = true;
return;
}
// Allow itil_limited users to see themselves -> Not Working
if (gs.getUserID() == current.sys_id.toString()) {
answer = true;
return;
}
// For itil_limited users — allow read only if target user shares a group
var myGroups = user.getMyGroups(); // Array of group sys_ids
var grMember = new GlideRecord('sys_user_grmember');
grMember.addQuery('user', current.sys_id);
grMember.query();
while (grMember.next()) {
if (myGroups.indexOf(grMember.group.toString()) != -1) {
// User shares at least one group → allow read
answer = true;
return;
}
}
})();
- Labels:
-
Incident Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
16 hours ago
Hi @symonflores_23 ,
The issue in your ACL script where itil_limited users cannot see their own user record in the Assigned To field is likely because the comparison for allowing users to see themselves (if (gs.getUserID() == current.sys_id.toString())) is not correctly setting the answer variable when true, due to missing explicit answer assignment and possible return behavior in the script.
Try this script:
(function() {
var user = gs.getUser();
// Allow full access if NOT itil_limited
if (!user.hasRole('itil_limited')) {
answer = true;
return;
}
// Allow itil_limited users to see their own record
if (gs.getUserID() == current.sys_id.toString()) {
answer = true;
return;
}
// For itil_limited users — allow read only if target user shares a group
var myGroups = user.getMyGroups(); // Array of group sys_ids
var grMember = new GlideRecord('sys_user_grmember');
grMember.addQuery('user', current.sys_id);
grMember.query();
while (grMember.next()) {
if (myGroups.indexOf(grMember.group.toString()) != -1) {
// User shares at least one group → allow read
answer = true;
return;
}
}
// Deny by default
answer = false;
})();
ACL scripts rely on the global variable answer being explicitly true or false before the script finishes. Returning early without setting answer or using return; alone may not propagate the result correctly to the ACL engine. Setting answer explicitly and returning afterward ensures permission is granted or denied correctly.
This adjustment will allow itil_limited users to see their own user record and retain the group membership visibility constraints as you designed.
If it is helpful, please hit the thumbs button and accept the correct solution by referring to this solution in the future it will be helpful to them.
Thanks & Regards,
Mohammed Mustaq Shaik
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
16 hours ago
Hi Mustaq,
Added 'answer = false;', still not working
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
16 hours ago
Hi @symonflores_23 ,
ACL evaluation might be influenced by other factors or the script logic might not be aligned with the actual conditions.
- Make sure current.sys_id correctly references the user record in question
Confirm that you are editing the correct ACL that applies to the sys_user table, with read operation, and that the ACL is active.
Insert gs.log() statements inside your script to confirm the flow:
(function() {
gs.log('ACL check start');
var user = gs.getUser();
if (!user.hasRole('itil_limited')) {
gs.log('Not itil_limited, grant full access');
answer = true;
return;
}
if (gs.getUserID() == current.sys_id.toString()) {
gs.log('User accessing their own record, grant access');
answer = true;
return;
}
var myGroups = user.getMyGroups();
gs.log('User groups: ' + myGroups);
var grMember = new GlideRecord('sys_user_grmember');
grMember.addQuery('user', current.sys_id);
grMember.query();
while (grMember.next()) {
gs.log('Record user group: ' + grMember.group.toString());
if (myGroups.indexOf(grMember.group.toString()) != -1) {
gs.log('Shared group found, grant access');
answer = true;
return;
}
}
gs.log('No group match, deny access');
answer = false;
})();
Temporarily disable other ACLs and policies on the user table to test if your script now grants access.
ACLs are evaluated in order. Check if other ACLs might be denying access earlier.
- Validate the data (user ID and group memberships) during test.
