ACL Script help

will_smith · ‎12-04-2015

Hello, I am needing some help with an ACL on a custom table. I have a UI action that is ran from the incident table that shows the u_temp_credential table and writes some fields to it. Then ONLY the logged in user should be able to see the u_temp_credential table to see the username that was created just for them. When I impersonate the user I get a security constraints error. I appreciate all of your help from the start, as I'm learning ACL's - they remind me of Windows server group policies, ugh!

For an ACL, is a record type the same as a field on a form?

answer = ifScript();
function ifScript(){
   //gs.log('ACL: sys_class_name is ' + current.u_parent.sys_class_name);
   if(current.u_parent.sys_class_name == 'sc_req_item'){
   //gs.log('ACL: table is sc_req_item');
   if(current.u_parent.u_requested_for == gs.getUserID() || current.u_parent.opened_by == gs.getUserID()){
   return true;
   }
   } else if(current.u_parent.sys_class_name == 'incident') {
   //gs.log('ACL: table is incident');
   if(current.u_parent.caller_id == gs.getUserID()){
   return true;
   }
   }
   return false;
}

mike_allgire · ‎12-04-2015

You need two read ACLs...

1. Table level (u_temp_credential.)

2. Record level (u_temp_credential.*)

To put security on individual fields, then you need to put the appropriate type of ACL on the field (u_temp_credential.u_password).

Type should always be Record (for what you are doing).

Operation should determine what they can do (Create, Read, Write, Delete)

If the table was created and a role was associated with it (typical action) and you over-wrote the original read table ACL, then you will want to remove the role associated as the ACL requires the script to be true, the user to have the role, and the condition to be true.

To make this easier (now that I have more time), you can do this all using the condition builder instead of writing a script (my example is based on the incident table)

View solution in original post

will_smith · ‎01-08-2016

I should add that the user is creating a new credential from the incident table through a UI Action and GlideDialogWindow (GDW)

will_smith · ‎01-14-2016

Let's break this down a little simpler. Attached is the output of where I stand currently when I turn on debug security and view the glide dialog window from the incident UI action. When the window opens, no fields are visible. All of the items that are failing are for rules that are inactive: PATH = record/u_temp_credential.u_application/read. I have read everything I can get my hands on for ACLs and I cannot figure this one out. Thank you for your help everyone.

ACL List

mike_allgire · ‎01-14-2016

Based on what I see above, you are attempting to provide a user access to be able to create a line item; when you really need to create the record in the table. With that said, change your create ACL to be on the table (remove the asterisk and use none).

will_smith · ‎01-15-2016

Thanks mike.allgire, I will give that a try. Let me ask a basic question to gain understanding. If I do not grant any ACLs to a table, does that give full access or zero access? Or, another way, is access granted explicitly, or implicitly?

Would it be ok if I emailed you Mike? I am trying to grow my network of ServiceNow friends and mentors, and you have been very helpful and responsive.

mike_allgire · ‎01-15-2016

Zero access. Before Berlin, they allowed the mentality of "if there isn't an ACL restricting users, then allow users"; however the current model is "if there isn't an ACL to grant users, then don't allow users".

I am up for direct messages on here if you wish. I just may not be able to get to them quickly.