The CreatorCon Call for Content is officially open! Get started here.

Users with Specific Roles or Managed Group have access to Create, Update and Delete CI Relationships

KoyaJ
Tera Contributor

3 weeks ago - last edited 3 weeks ago

I have a requirement where users who either have specific roles (u_cmdb_mgmt, asset) or are members of a CI's managed group should be able to create, update, and delete CI relationships in the CMDB.

I've implemented a script that checks for these conditions and enables the relationship (+) button on the CI form. However, when I try to create and submit a new relationship, I receives an error  "User not authorized to add relationships"

Here’s what I’ve done so far:

  • Script checks if the user has the required roles or is part of the CI’s managed group.
  • The (+) button appears as expected.
  • Error occurs when submitting the relationship.

My question:
What additional permissions or ACL configurations are needed to allow these users to create, update, and delete CI relationships? Is there something I’m missing in the script or in the ServiceNow configuration?

KoyaJ_0-1758013207150.png

Script:

(function() {

    if (gs.hasRole('u_cmdb_mgmt') || gs.hasRole('asset'))  {
        answer = true;
    }
    var userID = gs.getUserID();
    answer = isUserInManagedGroup(current.parent);
    function isUserInManagedGroup(ciSysId) {
        var ci = new GlideRecord('cmdb_ci');
        if (ci.get(ciSysId) && ci.managed_by_group) {
            var groupMember = new GlideRecord('sys_user_grmember');
            groupMember.addQuery('group', ci.managed_by_group);
            groupMember.addQuery('user', userID);
            groupMember.query();
            if (groupMember.hasNext()) {
                return true;
            }
        }
        return false;
    }
0 Helpfuls
  • 299 Views
8 REPLIES 8

Nehal Dhuri
Mega Sage
In response to KoyaJ

3 weeks ago

I think you should create, read, update, delete ACL for relationship table by including these roles

Please hit like and mark my response as correct if that helps
0 Helpfuls

Bhuvan
Mega Patron

3 weeks ago - last edited 3 weeks ago

@KoyaJ 

 

You are trying to add relationship in cmdb_rel_ci table, check if the user has necessary Create/Update/Delete permissions. If not, create ACLs to allow the operations for the role and it should work.

Bhuvan_0-1758016109349.png

If this helped to answer your query, please mark it helpful & accept the solution.

 

Thanks,

Bhuvan

0 Helpfuls

KoyaJ
Tera Contributor
In response to Bhuvan

3 weeks ago

KoyaJ_0-1758022163221.png

I have created an ACL written the custom script. Attached the screenshot 

0 Helpfuls

Bhuvan
Mega Patron
In response to KoyaJ

3 weeks ago

@KoyaJ 

 

Did you check if Scripted ACL is returning true or false by logging the information ?

 

I believe there could be an issue in the way you are setting true or false and if you can log the information and replicate the scenario for a user with role 'u_cmdb_mgmt' or 'asset', you can confirm the issue.

 

If this helped to answer your query, please mark it helpful & accept the solution.

 

Thanks,

Bhuvan

0 Helpfuls