Restricting URL to open a form

CChinnakannappa
Kilo Explorer

Hi All,

In my instance when a user gives direct URL in the address bar , he is able to view that page which is there in the URL.
For example -
https://demo10.service-now.com/nav_to.do?uri=sys_properties.do?sys_id=409fe30b0a0a2c3e287fe134cf88f1...

This is the link which i have written , if the user paste this link in the address bar and enter, user is able to see the page though he is logged in as ITIL user.
I dont want this to be happened, when ever an user tries to open a page through URL, then based upon his/her roles he should be restricted or able to get access to that form. if he is a restricted user to that form then he should get a pop-up saying "you are restricted to view this page".

This is not only happening to forms but also ui pages. There are lot of forms and pages in my instance which should viewed by only users who have specific roles. i would like to provide enough security to my instance.

please help me on this, it is mandatory in security point of view.

Thanks in advance,
Regards,
kanna.

4 REPLIES 4

Mark Stanger
Giga Sage

There's no easy solution for this. You just have to make sure that you've got ACLs set up for all of those things to restrict access. You can read about ACLs on the wiki.


CapaJC
ServiceNow Employee
ServiceNow Employee

You can create ACLs where the Type is "ui_page" to protect arbitrary page URLs. e.g., if you have a UI Page named "my_page", accessible through "/my_page.do", you can create an ACL with Type = "ui_page", operation = "Read", name = "my_page", and require whatever role you like in the Required Roles related list.

Same for protecting the form itself for an existing table. To prevent a user from being able to ever see the sys_properties page, create an ACL with Type = "ui_page", operation = "Read", name = "sys_properties", and require whatever role you like in the Required Roles related list.

Works for lists too. If you don't want a user to be able to get to a sys_properties list (even one that doesn't display any records due to security constraints), create an ACL with Type = "ui_page", operation = "Read", name = "sys_properties_list", and require whatever role you like in the Required Roles related list.


I can't seem to get this to work.



I am trying to remove the ability for my itil users to get to the "create new group" page by using the URL ACl mentioned above, but it's not working.


I can still impersonate someone with just ITIL and they can get there with the uRL.



??


CChinnakannappa
Kilo Explorer

I have written some Acl's which will restrict ITIL users to see a sys_user table in both list view and form view.
but when i come to incident form and click on magnifying glass in the assigned_to field then this is not displaying the users, it is showing as 'security constraints will not allow you to see this page'.

can some one tell me how to resolve this issue?
I want that table and form level restriction but not that reference field restriction.

Thanks in advance
Kanna