- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-18-2024 10:26 PM - edited ‎06-18-2024 10:37 PM
Hello All,
I need to implement a restriction on certain business rules for the "admin" role while allowing visibility and edit access for "security_admin". The steps taken so far are as follows:
- Created a system property (special_access_br) to store the sys_ids of the specific business rules to be restricted.
- Established a read ACL on the sys_script (business rule) table, with a script that ensures security_admin can view the business rules stored in the system property, while other users (such as business_rule_admin or admin) can view all other business rules except those listed in the property.
Despite these configurations, the setup is not functioning as intended.
ACL Script :
var restrictedBRs = gs.getProperty('special_access_br');
var restrictedBRsArray = restrictedBRs.split(',');
var isRestrictedBR = restrictedBRsArray.indexOf(current.sys_id.toString()) !== -1;
if (gs.hasRole('security_admin')) {
return true;
}
if ((hasRole('admin') || hasRole('business_rule_admin')) && isRestrictedBR) {
return false;
}
return !isRestrictedBR;
Any assistance or insights to resolve this issue would be greatly appreciated.
Thank you for your support.
Solved! Go to Solution.
- Labels:
-
Platform and Cloud Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-20-2024 02:01 AM
Hi @SM24,
Try the following instead:
if (gs.hasRole('security_admin')) {
answer = true;
} else {
var restrictedBRs = gs.getProperty('special_access_br');
var restrictedBRsArray = restrictedBRs.split(',');
var canSeeBR = restrictedBRsArray.indexOf(current.sys_id.toString()) > -1;
if (!canSeeBR) {
answer = false;
} else {
if (gs.hasRole('admin') || gs.hasRole('business_rule_admin')) {
answer = true;
}
}
}Also, make sure Admin overrides is unchecked.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-19-2024 07:27 AM
did you check any other table level ACL is allowing the access?
your script looks fine. Did you add logs in your above script?
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-19-2024 09:36 AM
Hi @Ankur Bawiskar ,
I have disabled the default read ACL on the "sys_script" table and created a new ACL.
With this new configuration, only users with the "security_admin" role have visibility of all business rules. However, "admin" users currently cannot view any business rules.
According to the requirement, "admin" users should have restricted access to view only the business rules specified in the "special_access_br" list.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-19-2024 08:28 PM
did you try by debugging the ACL script by adding logs?
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-20-2024 12:23 AM
Hi @Ankur Bawiskar ,
Yes I tried , it is not going inside the loop. just returning 1st log "Running function checkAccesstoBR"
answer = checkAccesstoBR();
function checkAccesstoBR() {
gs.log('Running function checkAccesstoBR');
var restrictedBRs = gs.getProperty('special_access_br');
var restrictedBRsArray = restrictedBRs.split(',');
var isRestrictedBR = restrictedBRsArray.indexOf(current.sys_id.toString()) > -1;
if (hasRole('security_admin')) {
gs.log('Security Admin checking - ALL BRs');
return true;
}
if ((hasRole('admin') || hasRole('business_rule_admin')) && isRestrictedBR) {
gs.log('Admin checking - BRs not present in property');
return false;
}
return !isRestrictedBR;
}
