Restricting URL to open a form
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-10-2012 11:41 AM
Hi All,
In my instance when a user gives direct URL in the address bar , he is able to view that page which is there in the URL.
For example -
https://demo10.service-now.com/nav_to.do?uri=sys_properties.do?sys_id=409fe30b0a0a2c3e287fe134cf88f1...
This is the link which i have written , if the user paste this link in the address bar and enter, user is able to see the page though he is logged in as ITIL user.
I dont want this to be happened, when ever an user tries to open a page through URL, then based upon his/her roles he should be restricted or able to get access to that form. if he is a restricted user to that form then he should get a pop-up saying "you are restricted to view this page".
This is not only happening to forms but also ui pages. There are lot of forms and pages in my instance which should viewed by only users who have specific roles. i would like to provide enough security to my instance.
please help me on this, it is mandatory in security point of view.
Thanks in advance,
Regards,
kanna.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-10-2012 01:10 PM
There's no easy solution for this. You just have to make sure that you've got ACLs set up for all of those things to restrict access. You can read about ACLs on the wiki.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-10-2012 01:30 PM
You can create ACLs where the Type is "ui_page" to protect arbitrary page URLs. e.g., if you have a UI Page named "my_page", accessible through "/my_page.do", you can create an ACL with Type = "ui_page", operation = "Read", name = "my_page", and require whatever role you like in the Required Roles related list.
Same for protecting the form itself for an existing table. To prevent a user from being able to ever see the sys_properties page, create an ACL with Type = "ui_page", operation = "Read", name = "sys_properties", and require whatever role you like in the Required Roles related list.
Works for lists too. If you don't want a user to be able to get to a sys_properties list (even one that doesn't display any records due to security constraints), create an ACL with Type = "ui_page", operation = "Read", name = "sys_properties_list", and require whatever role you like in the Required Roles related list.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-02-2017 10:43 AM
I can't seem to get this to work.
I am trying to remove the ability for my itil users to get to the "create new group" page by using the URL ACl mentioned above, but it's not working.
I can still impersonate someone with just ITIL and they can get there with the uRL.
??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-01-2012 07:12 AM
I have written some Acl's which will restrict ITIL users to see a sys_user table in both list view and form view.
but when i come to incident form and click on magnifying glass in the assigned_to field then this is not displaying the users, it is showing as 'security constraints will not allow you to see this page'.
can some one tell me how to resolve this issue?
I want that table and form level restriction but not that reference field restriction.
Thanks in advance
Kanna