How to allow ITIL users to add delegates only to their own profile, not others.

sssnow
Kilo Contributor

I want to give ITIL users access to add delegate only to their own profile. Is there a trick to compare logged in user and the profile (s)he is going to update. So if both user ids are not matching, we can restrict this operation.

10 REPLIES 10

sssnow
Kilo Contributor

I added ITIL role to the ACL


Hi,



Can you please revert the changes on create ACL (it should not have any roles or condition). I just checked the oob ACL's and we already have a write ACL on sys_user_delegate.user



find_real_file.png



When I create a new delegate as itil user, the user field is not editable to me. Are you testing as admin user? Is this how it looks for you



find_real_file.png



Sorry for the confusion!



Thanks


Please Hit like, Helpful or Correct depending on the impact of the response


sssnow
Kilo Contributor

Thanks for your research. After reverting the ACL back, it is making the user field read only. But if an ITIL user searches for another profile, he/she can add delegate which we are trying to restrict.


Ok, Can you trying creating a new write ACL as shown



find_real_file.png



find_real_file.png


javascript:gs.getUserID()





Thanks


Please Hit like, Helpful or Correct depending on the impact of the response


Jochen Geist
ServiceNow Employee
ServiceNow Employee

ACLs are not re-evaluated during run time. This mean that if you change the content of a field, the ACL still remains in its original state (when the form was loaded).



You might want to look into reference qualifiers for this:


Simple demo: Set the reference qualifier to advance and enter this: javascript:'sys_id=' + gs.getUserID();



For more advanced logic (e.g. involving roles) create a script include and call that from the reference qualifier:


https://www.servicenowguru.com/scripting/script-includes-scripting/advanced-reference-qualifier-scri...