Restrict Catalog and Catalog Items. ACL or Entitlement script questions

Go to solution
poyntzj
Kilo Sage

‎11-27-2013 02:24 PM

Hi all
I have added three fields to KB, Service Catalog and Catalog Items
u_global_view True / False
u_show_to - string 1000
u_hide_from - string 1000
If global view is true, use and make the "u_hide_from" visible
If global view is not trie, use and make the "u_show_to" visible

the strings contain part of a DN, sperated by semi colon
On KB, I have added a script to the ACL and simply it takes the contents of the "u_show_to" or "u_hide_from", makes an array and checks the users dn entry. If there is a match, then either show or hide depending on what we want and stop.
All works great

I thought adding this to the Service Catalog and a Category Item so we could easily hide them would be a case of adding the same script to the relevant ACL. Firstly, seems I am wrong and I cannot find the ACL that controls whether a record is visible or not. Anyone got any ideas on what ACL's these are, or what one I need to create. I did create one earliy
table - sc_cat_item
condition - none
script - gs.log('Jules ACL test');
roles - either blank or public. no difference either way

I went and looked and was able to access the category items
however and annoyingly, nothing in the logs 😞

Further on, I started to look at entitlement scripts. I can modify the routine I have to work here (after i found out that most records do not work in the entitlement script) so all is not lost, however, is there somewhere where I can place this entitlement script so that any new Catalog Item automatically has this script added ?

Thanks in advance

Labels:
0 Helpfuls
  • 12,034 Views
1 ACCEPTED SOLUTION

Go to solution
poyntzj
Kilo Sage
In response to minicj

‎02-25-2014 08:25 AM

Hi, attached are 3 documents



service catalog items - restricted view   is an overview of how it works and what to add in the show to / hide from boxes


servicecataloginclude.txt   - is the script include


service catalog items - set entitlement is the client script that is used when you choose restricted view and automatically creates the entitlement script



The following are the fields I have added to the catlog items



find_real_file.png



Hope it helps as I know this is a little rough and ready


View solution in original post

Preview file
179 KB
Preview file
18 KB
Preview file
50 KB
ServiceCatalogInclude.txt.zip
0 Helpfuls
6 REPLIES 6

Go to solution
TJW2
Mega Guru

‎11-27-2013 02:37 PM

Have you tried using the entitlement script on the catalog items?
The related list for 'available for Group'?, department? location? Or the 'Not available for?'

http://wiki.servicenow.com/index.php?title=Service_Catalog_Access_Controls


0 Helpfuls

Go to solution
poyntzj
Kilo Sage

‎11-27-2013 03:19 PM

Hi Terri
thanks for the comments. I have looked at this and it is why I am looking at the Entitlement scripts at the moment

The problem is that we are a reasonably large global company and we may have to restrict KB and Service Catalog Categories and items based on various options - Region, City, Operating Company, any combination
(If we cannot block Service Catalog Categories then it is OK, but we must do it for Catalog Items)
It has the potential to currently stop a team migrating over !

Adding the users to a group is not really feasible due to logistics etc. And certainly not by user.

With KB, I can choose saw "global view" and then in the "hide from" field I can add
"OU=LON; OU=EDI; OU=APAC; OU=BRAND,OU=NYC"
It will then hide the KB from anyone in London, Edinburgh, anyone who is in APAC, or anyone who works for "Brand" in New York.

If Global view is not selected and I entered the above into the "show to" field, It would show those articles to those users.

works well for KB via the ACL which is why I think I should be able to do the same for the Service Catalog and Catalog Items, but not sure of the ACL to use or create (being new to ServiceNOW)

Just doing the same in other areas is proving to be fun.

Cheers


0 Helpfuls

Go to solution
poyntzj
Kilo Sage

‎11-28-2013 05:18 AM

I gave up on the ACL issue and I have now gone down the following route

Script Include - takes table name, current catalog item, user ID

For catalog categories and catalog item I added 4 fields to both tables
enable restrictions
restriction type
hide from
show to.
I also wrote a client script so that if the enabled restrictions is checked, it will automatically add the entitlement script with the correct parameters.

Now, when we can add parts of the users DN to the "hide from" or "show to" fields.
When the user loads the service catalog, if the enable restriction is chosen it calls the include and it will then look at all contents in the relevant "hide from" or "show to" fields. It gets the user DN field and looks for a match. Depending on if we are hiding from, or showing to, it will return true or false.

It is nice as it will only process a script if we want a restriction and where we do have global requests they are not processed at all.

Cheers


0 Helpfuls

Go to solution
minicj
Giga Contributor
In response to poyntzj

‎02-25-2014 07:50 AM

Hi,



I think you've solved the issue I've been struggling with.   Would you be willing to share the contents of your script include and client script?



Thanks in advance,



Katie


0 Helpfuls