Mobile App Login restriction

chadp · ‎04-26-2018

Hi All,

I find it hard to believe there is now way to restrict access by role to the native mobile app . I have tried using Business Rule below but am getting mixed results..

We want ONLY ITIL users to use the mobile app at this time and want to restrict access to users with 'user' role.

//Disables login for users without an ITIL role
(function executeRule(current, previous /*null when async*/) {
	var user = current.user;	
	if(gs.getUser().getUserByID(user).hasRole('user')  && gs.isMobile()){
		current.setAbortAction(true);
	}	
})(current, previous);

Please help I've spent too many hours combing the forums on something that should be an inherent feature of the app

Sagar Patro · ‎04-27-2018

I think you never changed the code

gr_roles.addQuery("role" , "2831a114c611228501d4ea6c309d626d");//Sys id of the role...admin here

put the sys_id of USER role here.

If you do that, any user which does not have USER role will not be allowed to login on the mobile.

View solution in original post

brajora · ‎06-21-2020

Thank you Guys.

In continuation to the above, can we restrict the login of user per device?

So that if they login from allowed device we allow ....

else we restrict if they login from personal mobile because the device is not configured in user.

I know it is more of MDM solution but can we get the device id set in user profile and that compared before granting login as part of installation exit?

ankit_dubey97 · ‎11-15-2023

Hi @Sagar Patro , @chadp

The below script is not working for me on the agent mobile app, need your assistance on this

gs.include("PrototypeServer");
gs.include("SSO_Helper");

var MultiSSOLogin = Class.create();
MultiSSOLogin.prototype = {
    initialize: function() {

    },

    process: function() {
        // the request is passed in as a global
        var userName = request.getParameter("user_name");
        var userPassword = request.getParameter("user_password");
        var user = GlideUser;
        var isMobile = gs.isMobile();
        if (GlideStringUtil.notNil(userName)) {
            gs.log("Test Mobile Logging using normal DB" + userName + " isMobile? " + isMobile);

            if (isMobile == "true") {
                gs.log("Test Mobile Logging using normal DB 1" + userName + " isMobile? " + gs.isMobile());

                var gr_user = new GlideRecord("sys_user");
                gr_user.addEncodedQuery("u_servicenow_departmentINIT-AUS,IT-CAN,IT-EMEA,IT-GLO,IT-SA,IT-USA");
                gr_user.addQuery("user_name", userName);
                gr_user.query();

                if (gr_user.next()) {

                    gs.log("Test Mobile : User id " + gr_user.user_name + " was success logging in @ " + gs.now());

                    request.getSession().setAttribute("glide.authenticate.multisso.login.method", "db");
                    SSO_Helper.clearCookie(SNC.SSOUtils.SSOID());
                    return user.getUser(userName);

                } else {
                    gs.log("Test Mobile : User id " + gr_user.user_name + " was blocked logging in @ " + gs.now());
                    this.loginFailed();
                    // response.sendRedirect("logout_redirect.do"); //incase you want the user to get redirected to some page. Not tested but may work
                    return "login.failed";

                }

            } else {
                var authed = user.authenticate(userName, userPassword);
                gs.log("Test Mobile Logging using normal DB 2" + userName + " isMobile? " + gs.isMobile() + "authed" + authed);

                if (authed) {

                    gs.log("Test Mobile Logging authed" + authed.toString() + " isMobile? " + gs.isMobile()); //This works perfect               

                    // it logined with normal DB creds in a multisso environment.
                    request.getSession().setAttribute("glide.authenticate.multisso.login.method", "db");
                    SSO_Helper.clearCookie(SNC.SSOUtils.SSOID());
                    gs.log("Test Mobile : User id " + user.getUser(userName) + " was success logging in @ " + gs.now());
                    return user.getUser(userName);
                }
            }

        } else if (SNC.AuthenticationHelper.isMutualAuth()) {
            var userLoginName = user.authenticateMutualAuthToken();
            if (userLoginName != null) {
                SSO_Helper.clearCookie(SNC.SSOUtils.SSOID());
                gs.log("Test Mobile : User id " + user.getUser(userLoginName) + " was blocked logging in @ " + gs.now());
                return user.getUser(userLoginName);
            }
        }

        this.loginFailed();
        gs.log("Test Mobile Logging failed " + userName + " isMobile? " + gs.isMobile());
        return "login.failed";
    },

    loginFailed: function() {
        var sysMessage = GlideSysMessage;
        var gs = GlideSession.get();
        if (request.getSession().getAttribute("glide.authenticate.local.login.method") == "certificate") {
            var message = sysMessage.format("cert_login_invalid");
            gs.addErrorMessage(message);
        } else if (GlideController.exists("glide.auth.policy.ui.error.message")) {
            var authPolicyError = GlideController.getGlobal("glide.auth.policy.ui.error.message");
            if (GlideStringUtil.notNil(authPolicyError)) {
                gs.addErrorMessage(sysMessage.format(authPolicyError));
            }
        } else {
            var message = sysMessage.format("login_invalid");
            gs.addErrorMessage(message);
        }
    }
};