Comments and Work Notes ACL not working. Work notes showing for end users

jlt · ‎09-23-2016

It was recently reported that our end users are seeing work notes made by ITIL roled users in the comments and work notes and/or Activities (filtered) fields on forms even though there is an ACL that limits read access to task.work_notes to users with the role ITIL. If I add the field "work note" to the Self Service View, it appropriately is hidden from the non roled users view so the ACL is hiding the work notes field, but any work notes made previously still show in these journaled lists.

I know this was not always the case and am unsure when this problem emerged for us.

Can anyone tell me how to hide the worknotes in the journals lists from non-roled users but still allow them to create/read additional comments?

jlt · ‎09-23-2016

Well even though I think the advanced script shouldn't have affected anything since both advanced script and required role should have evaluated to true.. I removed the advanced script and unchecked box and it seems to be working now.

Now to figure out what stopped working with the advanced script that once worked.

var user_id = gs.getUserID();

if ((current.assigned_to == user_id) ||

gs.hasRole("itil"))

answer = "true";

else answer = "false";

jlt · ‎09-29-2016

So while removing advanced script and adding role was a quick fix.. it is not ideal solution as I needed the advanced script.

I am finding that the system isn't even evaluating the advanced scripts for this ACL.

When the "comments_and_work_notes" field is used on the task form, users without roles can see work note entries regardless of the ACL script and condition returning false for task.work_notes. When a required role is related to the security ACL for task.work_notes, the comments_and_work_notes does not show work_notes for users without the role. It appears the comments_and_work_notes field uses the required roles and ignores ACL scripts and conditions. F

Michael Fry1 · ‎09-29-2016

I'm not sure why you need it since assigned to must have an itil role.

Regardless, we can rewrite that acl with something like:

answer = (current.assigned_to == gs.getUserID() || gs.hasRole("itil") );

or you can use something like:

if (gs.hasRole('itil') || current.assigned_to == gs.getUserID() ){

answer = true;

}

chris_smith · ‎09-23-2016

Hi Jessica,

One thing I really like to use is the 'Debug Security' link in the Left Nav under 'System Diagnostics' in case you aren't familiar with it.

http://wiki.servicenow.com/index.php?title=Using_Access_Control_Rules#Debugging

Try turning that on and if you know of a user that is experiencing that level of visibility, impersonate them, and try accessing an example record.

When you open that record (might take a bit longer to load) it will produce a bunch of logging on the bottom of it. Usually you can search for that field on the page and find the rules that might be permitting access to the work notes and also find the exact ACL that is causing this. I think you're right it does seem like an ACL issue of some sort. I would try using the debug feature.

When you're done just click on the 'Stop Debugging' link in the left Nav. to turn off the logging.

jlt · ‎09-23-2016

Yes I have looked at the debugger but since I do want the additional comments field (a journal list) or Activities (filtered) to show the customer visible comments, I think these fields should be visible. I just don't think it should show any of the work notes within the list. So the debugger doesn't help me there. It does correctly hide the work_notes field if I add it to the form because of the ACL.