Access to groups on portal

Darren22 · ‎11-08-2018

Good Morning,

I am trying to automate some tasks on ServiceNow which include users getting added to groups etc. What I have done is created a new workflow that a new user can access the portal and request access to a group. This then goes through the works all fine and finally a script actions it.

The problem I am finding is that if a new user access this catalog item, When they click on the reference variable (This references the sys_user_group table) that looks at groups, nothing is displayed.

Its as though unless they have at least one role they aren't able to access this list of groups. How can I allow brand new users access to this list? I thought it might be down to an ACL but looking at the list I haven't a clue which one controls this.

Joel Millwood2 · ‎11-08-2018

Hi Darren,

By default, Out of the Box the read permissions on the Group Table (sys_user_group) are restricted by the following script condition:

if (gs.getUser().hasRoles())
	answer = true;
else
	answer = false;

As these new users of yours have no roles the condition returns false so you would have to create a new ACL that grants them access. Here is a similar post in the community that covers the same topic:

ACL Help Needed - Make sys_user_group Name field visible to end users in a catalog variable. Hope this helps!

View solution in original post

Joel Millwood2 · ‎11-08-2018

Hi Darren,

By default, Out of the Box the read permissions on the Group Table (sys_user_group) are restricted by the following script condition:

if (gs.getUser().hasRoles())
	answer = true;
else
	answer = false;

As these new users of yours have no roles the condition returns false so you would have to create a new ACL that grants them access. Here is a similar post in the community that covers the same topic:

ACL Help Needed - Make sys_user_group Name field visible to end users in a catalog variable. Hope this helps!

Darren22 · ‎11-08-2018

Hi Joel,

Thank you for coming back to me with this. Is there anything wrong with changing this for example?

So could I change this condition to allow non rolled users to be able to read the group table?

Just don't want to go changing something like this that ends up causing major issues?

Joel Millwood2 · ‎11-08-2018

Your very welcome Darren.

To answer your next question it really depends on what your requirements are and if you and the business are happy to expose that information.

There could be use cases such as yours above where you do want to expose that information to users without roles or you may decide to restrict specific fields on the sys_user_group table to users without roles.

You can find out more about ACLs and how they are evaluated in the Product Documentation here: Access control list rules.

If you have found this answer helpful, please feel free to mark it as helpful and the correct answer to help other Community members also find this information in future.

Darren22 · ‎11-08-2018

Thank you so much for this.

Currently we have no issue with the business seeing the groups.

If we have some groups we would like to hide then I can always put a condition on the variable which is on our catalog item.

I guess its going to cause more issues not letting them read the groups than it would letting them read. Allowing them to read the groups allows us to automate a lot.

It will also allow us to improve the new user process.