Unable to disable the Authentication Factors menu item in Application Menus

George Cutrell · 4 weeks ago

Platform: Zurich patch4-hotfix3

Context: Our platform use is specifically targeted to customer service agents via a customized CSM application. CSM is the only real licensable product on our instances. No other products are installed. Users access the instance via a SSO integration with an external IdP. Besides local access for administrative needs, all end-user access is through SSO and users are provisioned via an LDAP integration.

As is typical after a family release upgrade, we go in after the fact and disable menu items that are perceived as noise to end users. No different with Zurich. However, we are unable to disable the Authentication Factors menu item as it seems to be protected by some protection policy. I am unable to figure out how to get around that protection policy so that we can disable the menu item. Has anyone else faced this issue?

Naveen20 · 4 weeks ago

Try these

Option 1A: Restrict module visibility by role

The standard way to hide a module from users is by adding a role to it. Since the module record itself is protected and you can't edit it through the UI, use a Background Script (System Definition > Scripts - Background) with elevated privileges to add a restrictive role:

```javascript

var gr = new GlideRecord('sys_app_module');

gr.addQuery('title', 'Authentication Factors');

gr.query();

if (gr.next()) {

gr.sys_policy = ''; // Clear protection policy

gr.roles = 'admin'; // Only admins will see this module

gr.update();

gs.info('Updated module: ' + gr.sys_id);

}

```

This way, only users with the `admin` role will see the Authentication Factors menu item. Your CSM agents won't see it at all.

Option 1B: Before Query Business Rule on sys_app_module

If you'd rather not touch the protected record at all, create a Before Query Business Rule on the `sys_app_module` table that filters out the module for non-admin users:

```javascript

(function executeRule(current, previous) {

if (!gs.hasRole('admin')) {

current.addQuery('title', '!=', 'Authentication Factors');

}

})(current, previous);

```

This is the least invasive option — no protected records modified, upgrade-safe, and easy to maintain. Just be mindful that Before Query BRs on `sys_app_module` run on every navigator load, so keep the logic lightweight.

View solution in original post

dio1 · 2 weeks ago

I ran the following script from the background, but I received a message and couldn't update the application menu. Why is that?

■Script
var gr = new GlideRecord('sys_app_application');
gr.addQuery('title', 'Authentication Factors');
gr.query();
if (gr.next()) {
gr.sys_policy = ''; // Clear protection policy
gr.roles = 'admin'; // Only admins will see this module
gr.update();
gs.info('Updated module: ' + gr.sys_id);
}

■Message
Background message, type:access, message: This item is read-only based on its protection policy.