system property in ACL for "security_admin"

Go to solution
SM24
Giga Guru

‎06-18-2024 10:26 PM - edited ‎06-18-2024 10:37 PM

Hello All,

I need to implement a restriction on certain business rules for the "admin" role while allowing visibility and edit access for "security_admin". The steps taken so far are as follows:

  1. Created a system property (special_access_br) to store the sys_ids of the specific business rules to be restricted.
  2. Established a read ACL on the sys_script (business rule) table, with a script that ensures security_admin can view the business rules stored in the system property, while other users (such as business_rule_admin or admin) can view all other business rules except those listed in the property.

Despite these configurations, the setup is not functioning as intended.

ACL Script :

 

 

 

    var restrictedBRs = gs.getProperty('special_access_br');
    var restrictedBRsArray = restrictedBRs.split(',');
    var isRestrictedBR = restrictedBRsArray.indexOf(current.sys_id.toString()) !== -1;

    if (gs.hasRole('security_admin')) {
        return true; 
    }
    if ((hasRole('admin') || hasRole('business_rule_admin')) && isRestrictedBR) {
        return false; 
    }
    return !isRestrictedBR;

 

 

 

 

Any assistance or insights to resolve this issue would be greatly appreciated.

Thank you for your support.

Labels:
0 Helpfuls
  • 991 Views
1 ACCEPTED SOLUTION

Go to solution
James Chun
Kilo Patron
In response to SM24

‎06-20-2024 02:01 AM

Hi @SM24,

 

Try the following instead:

 if (gs.hasRole('security_admin')) {
     answer = true;
 } else {
     var restrictedBRs = gs.getProperty('special_access_br');
     var restrictedBRsArray = restrictedBRs.split(',');
     var canSeeBR = restrictedBRsArray.indexOf(current.sys_id.toString()) > -1;

     if (!canSeeBR) {
         answer = false;
     } else {
         if (gs.hasRole('admin') || gs.hasRole('business_rule_admin')) {
             answer = true;
         }
     }
 }

Also, make sure Admin overrides is unchecked.

View solution in original post

0 Helpfuls
9 REPLIES 9

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron
In response to SM24

‎06-20-2024 01:49 AM

@SM24 

to check role you should use gs object and it should be like this

answer = checkAccesstoBR();

function checkAccesstoBR() {
	gs.log('Running function checkAccesstoBR');
    var restrictedBRs = gs.getProperty('special_access_br');
    var restrictedBRsArray = restrictedBRs.split(',');
    var isRestrictedBR = restrictedBRsArray.indexOf(current.sys_id.toString()) > -1;
    if (gs.hasRole('security_admin')) {
		gs.log('Security Admin checking - ALL BRs');
        return true;
    }
    if ((gs.hasRole('admin') || gs.hasRole('business_rule_admin')) && isRestrictedBR) {
		gs.log('Admin checking - BRs not present in property');
        return false; 
    }
    return !isRestrictedBR;
}

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect  ||  ✨ 9x ServiceNow MVP  ||  ✨ ServiceNow Community Leader
0 Helpfuls

Go to solution
James Chun
Kilo Patron

‎06-19-2024 01:37 PM

Hi @SM24,

 

I would recommend using Data Filtration instead of modifying OOB ACLs.

 

But if you must use ACL, try the following script instead:

 if (gs.hasRole('security_admin')) {
     answer = true;
     return;
 }

 var restrictedBRs = gs.getProperty('special_access_br');
 var restrictedBRsArray = restrictedBRs.split(',');
 var canSeeBR = restrictedBRsArray.indexOf(current.sys_id.toString()) > -1;

 if (!canSeeBR) {
     answer = false
 } else {
     if (gs.hasRole('admin') || gs.hasRole('business_rule_admin')) {
         answer = true;
     }
 }

 

Note that gs.hasRole('security_admin') returns true after elevating to the role.

 

Cheers

0 Helpfuls

Go to solution
SM24
Giga Guru
In response to James Chun

‎06-20-2024 12:40 AM

Hi @James Chun ,

 

Initially, I attempted to implement data filtering; however, I encountered an obstacle as the "sys_script" functionality was not accessible. Consequently, Access Control Lists (ACLs) emerged as the sole viable alternative.

Upon testing the script you provided, I observed that it is not functioning as intended. Both users with "admin" and "security_admin" roles are  viewing only the Business Rules (BRs) that are specified within the "special.access.br" property.

 if (gs.hasRole('security_admin')) {
	gs.log('Log 1: Security Admin Checking - Return all BR');
     answer = true;
 }

 var restrictedBRs = gs.getProperty('special.access.br');
 var restrictedBRsArray = restrictedBRs.split(',');
 var canSeeBR = restrictedBRsArray.indexOf(current.sys_id.toString()) > -1;

 if (!canSeeBR) {
	gs.log('Log 2: False property');
     answer = false;
 } else {
     if (gs.hasRole('admin') || gs.hasRole('business_rule_admin')) {
		gs.log('Log 3: False property - Admin View');
         answer = true;
     }
 }
0 Helpfuls

Go to solution
James Chun
Kilo Patron
In response to SM24

‎06-20-2024 02:01 AM

Hi @SM24,

 

Try the following instead:

 if (gs.hasRole('security_admin')) {
     answer = true;
 } else {
     var restrictedBRs = gs.getProperty('special_access_br');
     var restrictedBRsArray = restrictedBRs.split(',');
     var canSeeBR = restrictedBRsArray.indexOf(current.sys_id.toString()) > -1;

     if (!canSeeBR) {
         answer = false;
     } else {
         if (gs.hasRole('admin') || gs.hasRole('business_rule_admin')) {
             answer = true;
         }
     }
 }

Also, make sure Admin overrides is unchecked.

0 Helpfuls

Go to solution
SM24
Giga Guru
In response to James Chun

‎06-20-2024 04:13 AM

Hi @James Chun ,

Thank you so much.

0 Helpfuls