ACL Help Needed - Make sys_user_group Name field visible to end users in a catalog variable

Go to solution
t_a_rogers
Kilo Expert

‎07-22-2016 01:32 PM

Hi Everybody!


In a catalog item I have a Lookup Select Box that pulls a filtered set of groups from our sys_user_group table. This will ultimately determine routing of a specific request, which all works fine simply using "task.setDisplayValue('assignment_group', current.variables.ourvariablename);" in the task we want pointed.

Unfortunately, during testing I found out our end users cannot see the items in this select box, most likely due to no ACL existing which by default allows end users to read data from the Group table.

What is the most basic way I can make an ACL which grants access to the Name field on sys_user_group? I've tried the following and thus far haven't seen any success:

Access Control:

Type: Record

Operation: Read

Admin Overrides: True

Name: Group [sys_user_group]

Field: Name

Advanced: True

Script:

if (gs.getUser().hasRoles())

  answer = true;

else

  answer = false;

Is there an easier way to simply allow this field for anybody to see?

0 Helpfuls
  • 3,390 Views
1 ACCEPTED SOLUTION

Go to solution
Chuck Tomasi
Tera Patron
In response to Chuck Tomasi

‎07-22-2016 01:37 PM

Example:


find_real_file.png



And to test with Joe Employee... can read the list. If I drill in to the record, I get just read-only fields.



find_real_file.png


View solution in original post

Preview file
130 KB
Preview file
140 KB
14 REPLIES 14

Go to solution
Chuck Tomasi
Tera Patron

‎07-22-2016 01:34 PM

The most basic way is to add the role public and do away with the condition or script.



Using Access Control Rules - ServiceNow Wiki


0 Helpfuls

Go to solution
Chuck Tomasi
Tera Patron
In response to Chuck Tomasi

‎07-22-2016 01:37 PM

Example:


find_real_file.png



And to test with Joe Employee... can read the list. If I drill in to the record, I get just read-only fields.



find_real_file.png


Preview file
130 KB
Preview file
140 KB

Go to solution
t_a_rogers
Kilo Expert
In response to Chuck Tomasi

‎07-22-2016 02:01 PM

Chuck - Thanks. I didn't know about the Public role. I tried that but still no luck. Confirmed that as an admin or ITIL user the variable select box still works, but not in ESS. Even tried replacing the Field of "Name" to "*" on the ACL.



Hard to test a list view with Joe Employee because all of our non-role users are forced to a custom ESS page with no navigation pane. Workaround for testing purposes?



Maybe I need to explain the variable better? There may be a table in the middle being used somewhere that I'm not sure of..



Type: Lookup Select Box


Type Specifications -


Lookup from table: Group [sys_user_group]


Lookup value field: Name


Includes None: True


Reference qual: type=sysIDofGroupTypesWeUse^typeNOT LIKEsysIDofGroupTypeNotDesired^active=true



It brings the select box to about 12 options when working properly.


0 Helpfuls

Go to solution
Chuck Tomasi
Tera Patron
In response to t_a_rogers

‎07-22-2016 02:05 PM

For testing, can a non-roled user get to the standard UI?



https://yourinstance.service-now.com/navpage.do (replace yourinstance with your instance)



Then in the navigation menu filter, type sys_user_group.list and see if they can get a list.



If not, go back to being admin, go to System Diagnostics> Debug Security, re-impersonate and test. You should see debug output at the bottom of the form like this:



find_real_file.png



That will tell you if you are getting in with read access or not and why/why-not.


Preview file
64 KB
0 Helpfuls