Restricting the access of password to specific users

Go to solution
Natraj S
Tera Expert

3 weeks ago

We have an requirement to store the password in custom table field (A),

 

1.The password needs to be editable and viewable only to specific users.

2.Whenever the users try to view or edit the password field (A), the moment they click on the field or toggle the icon we have to make the reason field (B) visible and mandatory and this needs to be enabled for audit purpose, like who has viewed or modified the password and we have to get this details in the reporting as well.

 

If we have any OOB/custom solution to accomplish this requirement, kindly provide your thoughts here.

 

Thanks in Advance!

0 Helpfuls
  • 773 Views
1 ACCEPTED SOLUTION

Go to solution
Deepak Shaerma
Mega Sage
Mega Sage
In response to Natraj S

3 weeks ago

Hi @Natraj S 

ok got your point, so please uncomment the line in client script that sends the Record ID (sys_id) to the server. Also , inside script include use that ID to find the record (gr), decrypt the password, and send it back in the JSON object.

UI Action scriptt:

function unlockField(reason) {
    var ga = new GlideAjax('PasswordSecurityHelper');
    ga.addParam('sysparm_name', 'logAccessAndUnlock');
    ga.addParam('sysparm_reason', reason);
    
    // IMPORTANT: This MUST be uncommented. 
    // The server needs to know WHICH record to look up.
    ga.addParam('sysparm_record_id', g_form.getUniqueValue());
   
    ga.getXMLAnswer(function(response) {
        var result = JSON.parse(response);
        if (result.success) {
            // Unlock the field (Visual only)
            g_form.setReadOnly('u_mfg_password', false);
            g_form.flash('u_mfg_password', 'green', 0);
            g_form.addInfoMessage('Access granted.');
            
            // Display the password returned from the server
            if(result.decrypted_password) {
                 // Use g_form.setValue if you want it to appear in the field
                 // g_form.setValue('u_mfg_password', result.decrypted_password); 
                 
                 // OR use alert to pop it up (Safer)
                 alert("The Password is: " + result.decrypted_password);
            }
        }
    });
}


script icnlude:

logAccessAndUnlock: function() {
    var reason = this.getParameter('sysparm_reason');
    var docId = this.getParameter('sysparm_record_id'); // Get the ID sent from Client
    
    // 1. Initialize the Return Object
    var response = {};
    response.success = false;

    // 2. DEFINE 'gr' - Look up the record
    // REPLACE 'your_custom_table_name' WITH YOUR ACTUAL TABLE NAME
    var gr = new GlideRecord('your_custom_table_name'); 
    
    if (gr.get(docId)) { // If we find the record matching the ID
        
        // 3. Decrypt the password
        // Note: Contextual Security (ACLs) might block this if not Admin/Authorized
        var enc = new GlideEncrypter();
        var decryptedValue = enc.decrypt(gr.u_mfg_password);
        
        // 4. Build the response
        response.success = true;
        response.decrypted_password = decryptedValue; // Send the actual text back
    }

    return JSON.stringify(response);
},


Happy to help! If this resolved your issue, kindly mark it as the correct answer and Helpful and close the thread 🔒 so others can benefit too.
Warm Regards,
Deepak Sharma
Community Rising Star 2025

View solution in original post

8 REPLIES 8

Go to solution
Deepak Shaerma
Mega Sage
Mega Sage

3 weeks ago

Hi @Natraj S 

I think there is no out-of-the-box (OOB) form behavior for this Requirement. The standard "Lock/Unlock" icon on password fields does not support a "Force Reason" trigger natively. 

You have to implement a custom solution for this:

Happy to help! If this resolved your issue, kindly mark it as the correct answer and Helpful and close the thread so others can benefit too.

Warm Regards,

Deepak Sharma

Community Rising Star 2025



0 Helpfuls

Go to solution
Natraj S
Tera Expert
In response to Deepak Shaerma

3 weeks ago

Hi @Deepak Shaerma ,

 

Could you please provide me the custom solution for this requirement?

 

Thanks in Advance!

0 Helpfuls

Go to solution
Deepak Shaerma
Mega Sage
Mega Sage
In response to Natraj S

3 weeks ago

Hi @Natraj S 

Field A (Password): Create a field of type Password (2 Way Encrypted)

Create a simple table (e.g., u_password_access_log) to store the audit trails.

  • Fields: User (Reference), Time (DateTime), Reason (String), Action Type (View/Edit), Related Record (Reference to your custom table).

    Create a form button (UI Action) named "Unlock Password" or "View Password".

    • Client Side: true

    • OnClick: askForReason()

    • Condition: gs.hasRole('password_manager')

    function askForReason() {
    // 1. Open a Dialog (GlideModal) to ask for the Reason
    var dialog = new GlideModal('glide_prompt', true, 400);
    dialog.setTitle('Security Audit');
    dialog.setPreference('title', 'Please enter a reason to access this password:');
    dialog.setPreference('onPromptComplete', function(reason) {
        if (reason) {
            // 2. If reason is provided, call the server
            unlockField(reason);
        } else {
            g_form.addErrorMessage('Reason is mandatory to access the password.');
        }
    });
    dialog.render();
}

function unlockField(reason) {
    var ga = new GlideAjax('PasswordSecurityHelper'); // Call Script Include
    ga.addParam('sysparm_name', 'logAccessAndUnlock');
    ga.addParam('sysparm_reason', reason);
    ga.addParam('sysparm_record_id', g_form.getUniqueValue());
    
    ga.getXMLAnswer(function(response) {
        var result = JSON.parse(response);
        if (result.success) {
            // 3. SUCCESS: Unlock the field for editing
            g_form.setReadOnly('u_password_field', false); 
            g_form.flash('u_password_field', 'green', 0);
            g_form.addInfoMessage('Access granted and logged.');
            
            // OPTIONAL: If "View" is needed, pop up the decrypted password
            if(result.decrypted_password) {
                 alert("Password: " + result.decrypted_password);
            }
        }
    });
}

    Create a Client Callable Script Include (PasswordSecurityHelper) to handle the security logging and decryption.

    logAccessAndUnlock: function() {
    var reason = this.getParameter('sysparm_reason');
    var docId = this.getParameter('sysparm_record_id');
    
    // 1. Log to your Custom Audit Table
    var audit = new GlideRecord('u_password_access_log');
    audit.initialize();
    audit.u_user = gs.getUserID();
    audit.u_action_type = 'Edit Access'; // or 'View'
    audit.u_reason = reason;
    audit.u_related_record = docId;
    audit.insert();

    // 2. Return Success
    // If "View" is required, you can decrypt here using: 
    // var enc = new GlideEncrypter(); 
    // var decrypted = enc.decrypt(gr.u_password_field);
    
    return JSON.stringify({ success: true });
}


    Happy to help! If this resolved your issue, kindly mark it as the correct answer and Helpful and close the thread 🔒 so others can benefit too.
    Warm Regards,
    Deepak Sharma
    Community Rising Star 2025



0 Helpfuls

Go to solution
Natraj S
Tera Expert
In response to Deepak Shaerma

3 weeks ago

HI @Deepak Shaerma ,

 

I have tried the above script and am able to enter the reason after clicking on the "View Password" UI action, but after entering the reason am unable to view the password.

// UI Action Script

function askForReason() {
    // 1. Open a Dialog (GlideModal) to ask for the Reason
    var dialog = new GlideModal('glide_prompt', true, 400);
    dialog.setTitle('Security Audit');
    dialog.setPreference('title', 'Please enter a reason to access this password:');
    dialog.setPreference('onPromptComplete', function(reason) {
        if (reason) {
            // 2. If reason is provided, call the server
            unlockField(reason);
        } else {
            g_form.addErrorMessage('Reason is mandatory to access the password.');
        }
    });
    dialog.render();
}

function unlockField(reason) {
    var ga = new GlideAjax('PasswordSecurityHelper'); // Call Script Include
    ga.addParam('sysparm_name', 'logAccessAndUnlock');
    ga.addParam('sysparm_reason', reason);
    //ga.addParam('sysparm_record_id', g_form.getUniqueValue());
   
    ga.getXMLAnswer(function(response) {
        var result = JSON.parse(response);
        if (result.success) {
            // 3. SUCCESS: Unlock the field for editing
            g_form.setReadOnly('u_mfg_password', false);
            g_form.flash('u_mfg_password', 'green', 0);
            g_form.addInfoMessage('Access granted and logged.');
           
            // OPTIONAL: If "View" is needed, pop up the decrypted password
            if(result.decrypted_password) {
                 alert("Password: " + result.decrypted_password);
            }
        }
    });
}
 
//Client Callable Script Include
 
logAccessAndUnlock: function() {
    var reason = this.getParameter('sysparm_reason');
    //var docId = this.getParameter('sysparm_record_id');
    // 2. Return Success
    // If "View" is required, you can decrypt here using:
    var enc = new GlideEncrypter();
    var decrypted = enc.decrypt(gr.u_mfg_password);
   
    return JSON.stringify({ success: true });
},
    type: 'PasswordSecurityHelper'
 
 
I have one doubt about script include, I could see you have mentioned as "gr.password", what is "gr" here?
 
Do we need to create another field for reason?
 
I have added my custom password field in the script, but still am not able to get the password value.
 
Could you please check and help?
 

Note: Right now we are not concentrating on the audit logging, so I have commented those lines.

 

Thanks in Advance!

0 Helpfuls