Business Rules Honoring ACLs?

Matthew Glenn
Kilo Sage

‎08-01-2018 06:10 PM

I have a fun one here. 

We have a business rule that assists with an auto-assignment process that we have on the Incident table (and a few others). As a part of this process, this business rule runs a glideaggregate to the incident table and determines the workload each technician has at that exact moment. Whoever has the lowest perceived workload, gets the assignment.

Here is the GlideAggregate code we're running. It's about as simple as one can get

//count up the incidents
var inc = new GlideAggregate('incident');
inc.addAggregate('COUNT');
inc.addEncodedQuery('active=true^assigned_to=' + tech);
inc.query();
if(inc.next()){
    incPoints = inc.getAggregate('COUNT');
}

 

Here's the issue: this business rule appears to be honoring ACLs that are in place against the incident table, although I believe I've read that this shouldn't be the case, both here on the Community and in the docs somewhere.

My reason for thinking ACLs are the culprit is if I submit an incident via our Service Portal using my own account (with the admin role), the glideaggregate pulls back and tallies all active incidents assigned to each tech, as intended.

However, when I run this as an ESS user via the Service Portal, the glideaggregate only pulls back records for which the user is in the caller_id or opened_by fields, or on the watch_list. Coincidentally, these are the exact conditions for our ACLs that we have applied to ESS users on the incident table.

Not that it provides much evidence to my theory, but below is a quick shot of some logs I created for troubleshooting.

You can see my admin account pulls back a lot more records from the incident table that the ESS users account does not

find_real_file.png

 

Oddly enough, one of the other lookups we do is to the sc_req_item table, which is working just fine. We are only experiencing this issue on the incident table.

 

So, my question is, do business rules, in fact, ignore ACLs and run as the system? Or are those ACLs being honored here? If the latter, is there anything I can do to bypass this?

Preview file
95 KB
Preview file
95 KB
0 Helpfuls
  • 1,483 Views
5 REPLIES 5

SatheeshKumar
Kilo Sage

‎08-01-2018 07:34 PM

Hi Mathew, I think business rule has some dependendicies with user context, Try replacing the same script to a script include to resolve this issue!! Thanks, Satheesh
0 Helpfuls

Matthew Glenn
Kilo Sage
In response to SatheeshKumar

‎08-01-2018 08:24 PM

Converted to a Script Include, but I'm still seeing the issue, unfortunately.

0 Helpfuls

Kamal17
Kilo Sage

‎08-01-2018 07:39 PM

Hi,

I believe this is expected. When you are impersonating a user and running a business rule, the rule will be run as the user whom you are impersonating. You can verify it from the created by field in your logs. As a result ACLs are applied here and affects your results.

WorkAround: Try using gs.getSession().impersonate(adminUser); in your business rule. This will help you to run that specific business rule as an admin all the time and helps you to fetch all records using glideaggregate query.

Mark Correct if this solves your issue. Hit Like/Helpful based on the impact.

Regards,

Udhay

Matthew Glenn
Kilo Sage
In response to Kamal17

‎08-01-2018 08:23 PM

So, this appears to work the first time. But not after that, unless I log out/in. Then it works again (for the first time only). If I attempt to submit a few incidents back to back, only the first one works. 

I can see the impersonation start/end in the log files, and it's only triggering the one time 😕

 

 

0 Helpfuls