Acl about sn_cc.ConnectionInfoProvider api

panda1
Kilo Guru

‎09-21-2022 02:57 AM

I get the connection attribute through this api in script include (business rule call)

var provider = new sn_cc.ConnectionInfoProvider();
var connectionInfo = provider.getConnectionInfo("6219afbf9f03320021dd7501942e70fc");
if (connectionInfo != null) {
  var datamap = connectionInfo.getDataMap();
  gs.info(datamap["name"]);
  gs.info(datamap["connection_url"]);
}else{
...
}

However, it was rejected by the ACL and  connectionInfo returned null

Log like this

Security constraints prevent displauing information:no thrown error

When I use the admin user, everything is normal. This problem occurs when I switch to the normal user

In my impression, this is a server-side API, and ACL should not be executed

ConnectionInfoProvider - Scoped, Global | ServiceNow Developers

I don't see any information in the api document

Although the API is used normally after adding a role to normal users, it seems to be an abnormal behavior. normal users should not have this role

https://community.servicenow.com/community?id=community_question&sys_id=c3d6cbaddba4f700e0e80b55ca96191f&anchor=answer_f3b4df481b641410fff162c4bd4bcbdd&view_source=searchResult

This seems to be the same as Luis Franco's problem in the link

Unfortunately, the connection provided by him has expired and cannot be viewed

Does anyone know why

0 Helpfuls
  • 1,040 Views
5 REPLIES 5

Markus Kraus
Kilo Sage
In response to OrG

‎02-04-2025 07:59 AM

The underlying problem is, that the ACL evaluation for sys_connection and discovery_credential are broken when evaluated in a sn_cc context.

This means that you cannot create a precise ACL narrowing down access to the exact connection you want to allow read access to, but instead you're forced to give "broad" (read) access.

I've tried several things in the ACL for sys_connection, but neither data conditions nor scripts work for a sn_cc context.

So what I ended up with were two query BRs:
1.) "sys_connection" with condition "gs.hasRole('integration_user_role') && !gs.hasRole('admin')" and the script: "current.addQuery('connection_alias.id', 'the_connection_alias_id')"

2.) "discovery_credentials" with same condition as 1, but the following script:

	const connGr = new GlideRecordSecure('sys_connection');
	connGr.addNotNullQuery('credential');
	let cond = null;
	connGr.query();
	while (connGr.next()) {
		if (cond) {
			cond.addOrCondition('sys_id', connGr.credential);
		} else {
			cond = current.addQuery('sys_id', connGr.credential);
		}
	}

 

0 Helpfuls