How does User criteria and Entitlements apply to Categories and Catalog items

navakanth
ServiceNow Employee
ServiceNow Employee

on ‎09-15-2016 12:44 AM

Entitlements or User Criteria control accessibility of categories and catalog items in Service Catalog. These are evaluated before rendering the pages while browsing the Catalog. The purpose of this blog is to explain how are these criteria are applied before deciding whether a category/catalog item can be shown to the user. I assume that readers are familiar with how to define Entitlements/User criteria for a category or catalog item. Please refer this for more info:

For entitlements based security: Legacy service catalog access controls

For user criteria: Set security for items and categories

Evaluation of visibility of category:

System goes through the following steps to decide if the category is visible to the user:

1. If category is inactive it returns false.

2. Evaluates the user against the roles defined in "glide.sc.category.canview.override" property. If user passes the test then system checks if there are any active catalog-items in the category visible (see below to understand how item visibility is evaluated) to the user. Category is visible (and the check is stopped) if there is at least one visible catalog item.

3. At this point user is evaluated against entitlements/user criteria. Entitlements: User is evaluated against all the entitlements defined for this category. If the user does not pass this step then the check stops returning false. If the user passes this step it continues to next step.

User criteria: System first checks for "not available for" User criteria defined on the category. If user passes any of these then the check stops and returns false. Then it checks the "available for" User criteria defined on the category. System continues to next step if user passes this step.

4. At this stage user has passed all the checks for the category. But showing an empty category is useless, so system checks if there is any visible active catalog item in the category (or any of its sub-categories). There is at least one catalog item then category widget is visible to the user.

Evaluation of visibility of catalog item for the user:

System goes through the following steps to decide if the catalog item is visible to the user:

  1. 1. If the item is inactive then it is not visible.
  2. 2. Then system evaluates user against the roles defined in "glide.sc.entitlement.override". If the user has the role then the item is visible to the user
  3. 3. At this point user is evaluated against entitlements/user criteria. If entitlements are enabled, user is evaluated against all the entitlements defined for the item. If user criteria is enabled and user passes "not available for" user criteria then item is not visible for the user. Then if the user passes "available for" criteria on the item then the item is visible to the user.

Now that we understand how the visibility is evaluated lets see how this is applied to various browsing pages in Service Catalog.

Catalog homepage:

The above page will be configured by admin (catalog_admin) to render desired categories as widgets. Each widget has two possible views and each view shows different levels of information. Please see this for more information of how to add widgets on homepage:

View and navigate a service catalog

  1. Category details view:

In this view widget shows the Desktop image and the description of the category. If the category is visible to the user then the widget will be shown.

  1. List of items view:

In this view widget shows a list of items that are part of the category visible to the user. The number of items listed is controlled by the property "glide.sc.max_items". In this case system first checks if the category is visible. If the category is visible then it gets the list of items and evaluates if the item is visible to the user.

Category view page:

Category browsing page first checks if the category is visible to the user. If it is not visible then "Not authorized" message is shown. If category is visible to the user then the system finds list of items of the category (and its sub-categories) and evaluates visibility for the user.

Catalog item view page:

As expected for this page, system just evaluates if user can view the catalog item. If the item is no visible then "Not authorized" message is shown. If the item is visible then item view is rendered.

  • 3,929 Views
Version history
Last update:
‎09-15-2016 12:44 AM
Updated by:
ServiceNow Employee