Exclude delegates from specific approval records.

eglazier · ‎09-18-2018

I have a requirement to restrict approvals on a specific catalog item.

They do not what User Delegates to be able to approve these requests. Sounds easy enough.

I've found the "exclude delegates" on the email notification.

I've also added a business rule to abort the approval should a delegate try to approve this item.

Now, I need to HIDE that approval from them.

So of the approvals the delegate will see currently:

Buy Software - Approver1 - delegate 1 - **Yes delegate can approve

Grant Access to Bank Records - Approver1 - delegate 1 - **NO delegate my not approve this

Order Mobile phone - Approver1 - delegate 1 - **Yes delegate can approve

I'm not finding an easy way to only show two approvals for D1 and 3 for A1.

What is the best practice for this and are they any examples?

chanikya · ‎07-22-2019

HI Michel ,

can you help me

i used your script as suggest, but it is not working.. please help me........

still delegate approving approvals, it should Not be.

READ - ACL's script : table : sysapproval_approver

if (gs.getProperty("glide.approvals.restrict_by_record", "false") == "true")

answer = gs.hasRole('approval_admin') || (gs.hasRole('itil') && checkSecureCatalogItem(current))||(gs.hasRole('catalog') && checkSecureCatalogItem(current)) || (isApprovalMine(current) && checkSecureCatalogItem(current)) && hasAccessToDocument(current);
else
answer = gs.hasRole('approval_admin') || (gs.hasRole('itil') && checkSecureOrderGuide(current)) || (gs.hasRole('catalog') && checkSecureCatalogItem(current)) || (isApprovalMine(current) && checkSecureCatalogItem(current)) || (hasAccessToDocument(current) && checkSecureCatalogItem(current));

function checkSecureCatalogItem(current)

{
var allowDelegate = true;
var restrictList = gs.getProperty('active.checking.box.restrict.delegates'); // Active check -catalog item sys_id

if (current.sysapproval.sys_class_name == "sc_req_item" && restrictedList.indexOf(current.sysapproval.ref_sc_req_item.cat_item) > -1 && current.approver!=gs.getUserID())

{
allowDelegate = false;

}
else

if (current.sysapproval.sys_class_name == "sc_request" && restrictedList.indexOf(current.sysapproval.ref_sc_req_item.cat_item) > -1 && current.approver!=gs.getUserID())

{

allowDelegate = false;
}

return allowDelegate;
}

chanikya · ‎07-22-2019

ITIL side Working Good, but coming to Portal side still the records are showing in Delegate Portal view ,

So how to Exclude those from Portal side

ParkPants · ‎12-29-2020

There is a logic error in your function. The issue is that the 'checkSecureCatalogItem' function will always return 'false' for the specified catalog item since there is no check that the user that this ACL is running for is a delegate of the original approver. This results in the original approver not being able to see his own approvals if he doesn't have one of the specified roles in the OOB ACL. I've adapted your script with some of my own that should fix this issue should someone else stumble upon this thread.

function checkSecureCatalogItem() {
	var allowDelegate = true;
	// Make sure the below query is only added for request items
	var restrictedList = "SYS-ID-OF-CATALOG-ITEM";
	if (current.source_table == "sc_req_item" && restrictedList.indexOf(current.sysapproval.ref_sc_req_item.cat_item) > -1 && checkUserDelegate()) {
		allowDelegate = false;
	}
	return allowDelegate;
}

function checkUserDelegate() {
	var currentTime = new GlideDateTime();
	var del = new GlideRecord('sys_user_delegate');
	del.addEncodedQuery('ends>=' + currentTime + '^starts<=' + currentTime + '^user=' + current.approver);
	del.query();
	while (del.next()) {
		if (del.getValue('delegate') == gs.getUserID()) {
			return true;
		}
	}
	return false;
}

chanikya · ‎07-22-2019

Hi eglazier,

did you get solution for this?

chanikya · ‎07-22-2019

how to exclude approval records in Portal side