ACL for Catalog Item Category Condition Not Working as Expected

Asha Ganipi
Tera Contributor

‎11-08-2024 08:24 AM

Hello Community,

I’m working on a custom ACL in ServiceNow to restrict access to request items based on a catalog item category condition. The requirement is to allow access only to request items that are part of a specific category containing "Operation Technology". However, this ACL isn’t working as intended—users who do not meet this condition can still view these request items.

 

 

  • Out-of-the-Box ACL Modification:
    I began by reviewing and modifying the out-of-the-box ACL for request items and added conditions related to the catalog item category.

  • The  ACL is a more general condition that restricts access based on roles, ensuring only users with certain roles can see request items if they aren’t in the "Operation Technology" category.

Script  contains : 

current.isNewRecord() || current.request.opened_by == gs.getUserID() || current.opened_by == gs.getUserID() || current.request.requested_for == gs.getUserID() || current.requested_for == gs.getUserID() || gs.hasRole('itil,sn_request_write');
 

  • Custom ACL Condition:
    I created or modified an ACL condition to restrict access based on the catalog item category. The condition specifies that access should only be granted if the catalog item’s category contains "Operation Technology".

  • The ACL restricts access to items in the "Operation Technology" category, allowing only users associated with this category to view those items
answer = getAnswer();
function getAnswer() {
    var userId = gs.getUserID();
    gs.info("Asha" + userId);
    var isMemberOfOTGroup = false;
    var allowedUser =false;
    var otGroup = new GlideRecord('sys_user_group');
    otGroup.addQuery('u_ot_group', true);
    otGroup.query();
    while (otGroup.next()) {
        if (gs.getUser().isMemberOf(otGroup.sys_id)) {
            isMemberOfOTGroup = true;
            break;
        }
    }
if(isMemberOfOTGroup ||(current.opened_by == userId)||(current.request.opened_by == userId)||(current.request.requested_for == userId)||(current.u_requested_for == userId)||(current.requested_for == userId))
    {
    allowedUser =true;  
    gs.info("AshaV" + allowedUser);
    }

     /*allowedUser = isMemberOfOTGroup ||
        current.opened_by == userId ||
        current.request.opened_by == userId ||
        current.request.requested_for == userId ||
        current.u_requested_for == userId ||
        current.requested_for == userId;*/
       
    gs.info("asha" + allowedUser + isMemberOfOTGroup);
    return allowedUser;
}
 Expected Behavior:

Only users who meet the specific condition (i.e., catalog item category contains "Operation Technology") should be able to see request items in that category. All other users should be restricted.

Observed Behavior:
Users who do not meet the "Operation Technology" condition can still view these restricted request items.

 

Despite configuring these ACLs carefully and testing multiple approaches (adding debug logs and disabling other ACLs to avoid conflicts), users who don’t meet either condition are still able to view restricted items. I’d appreciate any insights into why these ACLs might not be working or tips on ensuring the category-based and role-based conditions are properly enforced. Thank you!

 

Labels:
  • 543 Views
3 REPLIES 3

Abhay Kumar1
Giga Sage

‎11-09-2024 07:29 PM

@Asha Ganipi Based on your code and the behavior you're seeing, it appears that the ACLs might not be enforcing the access control properly due to either misconfiguration or missing conditions in the ACL logic.

0 Helpfuls

Asha Ganipi
Tera Contributor
In response to Abhay Kumar1

‎11-11-2024 02:52 AM

Thank you for the feedback. I’ve double-checked the ACL configuration, and it appears correct based on the requirements: it includes specific conditions for both catalog item category and user roles. However, if there’s any particular area of the code or logic that could potentially cause this issue, I’d appreciate any guidance on where to look or what to test further.

 

0 Helpfuls

Asha Ganipi
Tera Contributor
In response to Asha Ganipi

‎11-11-2024 06:30 AM

answer = getAnswer();
function getAnswer() {
var userId = gs.getUserID();
    var allowedUser = false;
    var isMemberOfOTGroup = false;
    var answer =false;
    // Check if the user is in the OT group
    var otGroup = new GlideRecord('sys_user_group');
    otGroup.addQuery('u_ot_group', true);
    otGroup.query();
    while (otGroup.next()) {
        if (gs.getUser().isMemberOf(otGroup.sys_id)) {
            isMemberOfOTGroup = true;
            break;
        }
    }

    // Check if the user meets any of the allowed conditions
    if (isMemberOfOTGroup ||
        current.opened_by == userId ||
        (current.request && current.request.opened_by == userId) ||
        (current.request && current.request.requested_for == userId) ||
        current.u_requested_for == userId ||
        current.requested_for == userId) {
        allowedUser = true;
    }

    // If OT item, return based on OT script; otherwise, return default
    if (current.cat_item && current.cat_item.category && current.cat_item.category.title == 'Operation Technology') {
        answer = allowedUser;
    } else {
        answer = current.isNewRecord() || current.request.opened_by == gs.getUserID() || current.opened_by == gs.getUserID() || current.request.requested_for == gs.getUserID() || current.requested_for == gs.getUserID() || gs.hasRole('itil,sn_request_write');
    }
    return answer;
}
0 Helpfuls