- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-09-2012 06:59 AM
I am troubleshooting an issue with an ACL that restricts "read" access a field called "Default assignment group" on cmn_location to the roles user_admin and admin. There is a client script on incident that sets assignment_group to Location.Default Assignment Group. When an incident is created using the form and a user who only has the itil role the assignment group is not populated (presumably because the ACL restricts access to the data in the Location.Default Assignment Group). Impersonating that same user and submitting an incident via a record producer yields the assignment group being populated. Does the record producer insert records with an elevated role such as admin?
thanks,
Scott
Solved! Go to Solution.
- Labels:
-
Service Catalog
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-20-2014 01:28 PM
I think the sys_created_by field still logs who committed the action that ran the script (who submitted the form of the record producer).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-09-2012 08:50 AM
Record Producers create the records behind the scenes, so any UI Policies or Client Scripts do not come into play at all. What exactly is the Record Producer script doing? Is it setting the value of the field?
You will also want to look at the Assignment Rules (System Policy / Rules - Assignment) to see if they are setting the value of that field.
And what exactly is your desired result - do you want the Assignment Group populated or not???
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-09-2012 10:28 AM
The RP's script is setting Incident.Assignment group equal to Incident.Location.Default assignment group on the creation of the Incident (via the RP). This is great because it's what we want, but my question is if Location.Default assignment group is restricted to only admin and user_admin being able to view then how is a user with only itil using the RP to create an incident and the assignment group populating with the correct "Default assignment group".
I would assume this is because the script runs beneath the layer where ACLs are evaluated. Is that true?
thanks,
Scott
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-09-2012 11:20 AM
That's correct. As an admin you create the RP with whatever variables you need to get information for and then the script takes over. It is running in a different context that the logged-in user. Just like Business Rules can set fields based on some criteria, your RP script is allowed to do whatever you need it do to regardless of the permissions of the user who submitted it. It's not really the user who creates the record, it's the system based on your instructions.
Client Scripts, UI Policies and ACLs really only affected what is happening on the screen.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-20-2014 01:28 PM
I think the sys_created_by field still logs who committed the action that ran the script (who submitted the form of the record producer).
