ACL script not working on the table.

Go to solution
Paul125
Kilo Guru

‎10-11-2018 12:33 PM

Hi, I am using the below ACL script to give read access to the table records if the user is a group member of the selected CI on the record field(points to cmdb_ci). Also there is another read ACL exist on the same table with a require role. When I try to impersonate non-role, non-group member I can still see all records on the table. Don't know what's going on. Can someone assist me with correcting this? Thanks!

var ciArray = current.u_configuration_items.split(',');
for(i=0; i<ciArray.length; i++){
	var ci = new GlideRecord('cmdb_ci');
	ci.get(ciArray[i]);
	
	if(gs.getUser().isMemberOf(ci.support_group)){
		answer = true;
		break;
	}
}
0 Helpfuls
  • 1,795 Views
1 ACCEPTED SOLUTION

Go to solution
Ahmmed Ali
Mega Sage
In response to Paul125

‎10-11-2018 01:18 PM

Hello,

 

try below script:

 

answer = false;
var ciArray = current.u_configuration_items.split(',');
for(i=0; i<ciArray.length; i++){
	var ci = new GlideRecord('cmdb_ci');
	ci.get(ciArray[i]);
	
	if(gs.getUser().isMemberOf(ci.support_group)){
		answer = true;
		break;
	}
}

 

Thanks,

Ali

If I could help you with your Query then, please hit the Thumb Icon and mark my answer as Correct!!

Thank you,
Ali

View solution in original post

17 REPLIES 17

Go to solution
Goran WitchDoc
ServiceNow Employee
ServiceNow Employee

‎10-11-2018 12:47 PM

Hi Paul,

I think the if statement with "isMemberOf" never will be true since you will get a sysID with ci.support_group and it wants the name. But that will just lead to that this ACL will never grant access. So there much be something else. I would turn on debug security and see which ACL that actually gives you access to the records. It seems like there is something else in the backgrond giving access when I read what you are describing. 

 

//Göran

0 Helpfuls

Go to solution
Paul125
Kilo Guru

‎10-11-2018 01:03 PM

Thanks for the reply Göran. I turned off the scripting ACL, used the require rol one then it works just fine. When I enable the with scripting then it started to fail. I am not sure how to use debug ACL tool. Do you think is there any other way to achieve this? Thanks!

0 Helpfuls

Go to solution
Goran WitchDoc
ServiceNow Employee
ServiceNow Employee
In response to Paul125

‎10-11-2018 01:16 PM

Hi,

 

I think we can solve the script. Try this:

 

var currentUser = gs.getUser();

var ciArray = current.u_configuration_items.split(',');
for(i=0; i<ciArray.length; i++){
	var ci = new GlideRecord('cmdb_ci');
	ci.get(ciArray[i]);
	
	if(currentUser.isMemberOf(ci.getDisplayValue('support_group'))){
		answer = true;
		break;
	}
}

 

Just remember that this might be needed to be trimmed depending on the requirements and size of cmdb. 

But I think the code above should work.

 

//Göran

0 Helpfuls

Go to solution
Ahmmed Ali
Mega Sage
In response to Goran WitchDoc

‎10-11-2018 01:22 PM

Hi Göran,

 

I tried below script in background and it is giving me result true.

gs.print(gs.getUser().isMemberOf("cfcbad03d711110050f5edcb9e61038f")); //sys_if of one of my group

 

isMemberOf() should work with sys_id as well. correct me if i misunderstood something.

 

Cheers !!!

Ali

 

If I could help you with your Query then, please hit the Thumb Icon and mark my answer as Correct!!

Thank you,
Ali
0 Helpfuls