- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2025 10:37 PM
Good evening.
I have a requirement, that for ITAM User Group (sys_id), I need to make some fields of Computer Table, to be Read-Only. So, to achieve this, I used UI Policy script, instead of ACL.
The code works but I doubt that, there might be some error in the code, which could affect other groups. The script is below:
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2025 11:22 PM
Hello @AbdurRahmanSnow
Your script looks mostly correct, but there are a few improvements and corrections you can make to ensure it works as intended without affecting other groups. Here's a revised version of your script:
function onCondition() {
var itamUserGroupSysId = '7bbedbcf1b7bcad8ebbfec60f54bcb30';
// Get the current user's groups
var userGroups = gs.getUser().getMyGroups();
// Check if the user belongs to the ITAM User Group
var isITAMUser = false;
while (userGroups.hasNext()) {
var group = userGroups.next();
if (group.getValue('sys_id') == itamUserGroupSysId) {
isITAMUser = true;
break;
}
}
// Return true if the user is in the ITAM User Group
return isITAMUser;
}
Using an Access Control List (ACL) is generally considered the best practice for making fields read-only in ServiceNow, especially when you need to enforce security at the server level.
You can create a field level read ACL and include script as below.
var itamUserGroupSysId = '7bbedbcf1b7bcad8ebbfec60f54bcb30';
var userGroups = gs.getUser().getMyGroups();
var isITAMUser = false;
while (userGroups.hasNext()) {
var group = userGroups.next();
if (group.getValue('sys_id') == itamUserGroupSysId) {
isITAMUser = true;
break;
}
}
answer = !isITAMUser;
For your requirement, using an ACL is the most secure and reliable method to make fields read-only for specific user groups. UI Policies and Client Scripts can complement ACLs for additional client-side control and user experience enhancements.
If my response has helped you hit helpful button and if your concern is solved do mark my response as correct.
Thanks & Regards
Viraj Hudlikar.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2025 11:49 PM
A UI policy won't protect fields on a list, so doing this with a UI policy will work, but is far from ideal and also not best practice. Just create an ACL for this. If you are on Xanadu it will be very easy, because you can create a 'deny-unless' write ACL for the field and use the security attributes for the group membership. No need for any scripting.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2025 10:34 AM
I found the solution for this using ACL. I combined the answers from @Viraj Hudlikar and @Mark Manders.
What I did was., (below). (Also, UI Policy script was not working properly. Therefore, removed.)
1) Firstly, I created a table.None (Read operation, irrespective of the Role).
2) Then I created table.Fields for all the fields, one-by-one, inside those field ACLs, then I gave "Write" Operation for "Deny Unless" (Mark's idea) and wrote the script (provided by Viraj), without mentioning Roles or Conditions section.
Screenshots are attached below.
Script
var itamUserGroupSysId = '7bbedbcf1b7bcad8ebbfec60f54bcb30'; var userGroups = gs.getUser().getMyGroups(); var isITAMUser = false; while (userGroups.hasNext()) { var group = userGroups.next(); if (group.getValue('sys_id') == itamUserGroupSysId) { isITAMUser = true; break; } } answer = !isITAMUser;
Thanks a lot.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2025 11:22 PM
Hello @AbdurRahmanSnow
Your script looks mostly correct, but there are a few improvements and corrections you can make to ensure it works as intended without affecting other groups. Here's a revised version of your script:
function onCondition() {
var itamUserGroupSysId = '7bbedbcf1b7bcad8ebbfec60f54bcb30';
// Get the current user's groups
var userGroups = gs.getUser().getMyGroups();
// Check if the user belongs to the ITAM User Group
var isITAMUser = false;
while (userGroups.hasNext()) {
var group = userGroups.next();
if (group.getValue('sys_id') == itamUserGroupSysId) {
isITAMUser = true;
break;
}
}
// Return true if the user is in the ITAM User Group
return isITAMUser;
}
Using an Access Control List (ACL) is generally considered the best practice for making fields read-only in ServiceNow, especially when you need to enforce security at the server level.
You can create a field level read ACL and include script as below.
var itamUserGroupSysId = '7bbedbcf1b7bcad8ebbfec60f54bcb30';
var userGroups = gs.getUser().getMyGroups();
var isITAMUser = false;
while (userGroups.hasNext()) {
var group = userGroups.next();
if (group.getValue('sys_id') == itamUserGroupSysId) {
isITAMUser = true;
break;
}
}
answer = !isITAMUser;
For your requirement, using an ACL is the most secure and reliable method to make fields read-only for specific user groups. UI Policies and Client Scripts can complement ACLs for additional client-side control and user experience enhancements.
If my response has helped you hit helpful button and if your concern is solved do mark my response as correct.
Thanks & Regards
Viraj Hudlikar.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2025 09:23 AM
Hi Viraj. Thank you for this. But when I used your UI Policy script, Computer table fields are also getting Read-only for Admin too. This should not happen.
If we go with ACL script, your script is making those fields hidden, but not Read-only.
Please help me out.
Requirement: For ITAM User Group, make the fields: Read only should be Name, Manufacturer, Location, Company, Serial Number, model ID, Division, and Install status., as Read-Only.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2025 10:35 AM
I found the solution for this using ACL. I combined the answers from @Viraj Hudlikar and @Mark Manders.
What I did was., (below). (UI Policy script was not working properly. Therefore, removed.)
1) Firstly, I created a table.None (Read operation, irrespective of the Role).
2) Then I created table.Fields for all the fields, one-by-one, inside those field ACLs, then I gave "Write" Operation for "Deny Unless" (Mark's idea) and wrote the script (provided by Viraj), without mentioning Roles or Conditions section.
Screenshots are attached below.
Script
var itamUserGroupSysId = '7bbedbcf1b7bcad8ebbfec60f54bcb30'; var userGroups = gs.getUser().getMyGroups(); var isITAMUser = false; while (userGroups.hasNext()) { var group = userGroups.next(); if (group.getValue('sys_id') == itamUserGroupSysId) { isITAMUser = true; break; } } answer = !isITAMUser;
Thanks a lot.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2025 11:49 PM
A UI policy won't protect fields on a list, so doing this with a UI policy will work, but is far from ideal and also not best practice. Just create an ACL for this. If you are on Xanadu it will be very easy, because you can create a 'deny-unless' write ACL for the field and use the security attributes for the group membership. No need for any scripting.
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark