ACLs

 


For ACLs you first need access to the table, then to the field. Think of it as walking up to a house. You can't get in the house (table) without the door being unlocked. Once inside, the rooms, are the rows/fields. So those need to be unlocked as well to go in to those (table.* or table.row/field).


  • For table.none means that you are applying the ACL at the table level.
  • For table.*, means that you are applying this for all rows/fields on that table which don't have their own specific table.field ACL. So it's more of a "meta-ACL", if you will.
  • Then there's table.row/field, means you are applying this for that specific field

Example of a row level ACL (from chatGPT)

  • Let's say you have an "Incident" table in ServiceNow, which contains records of various incidents reported by users. You want to restrict access to certain incidents based on their priority. You can define a row-level ACL that allows only users with a specific role, such as "Manager," to view and update incidents with a priority of "High."
  • In this case, the row-level ACL script would check the user's role and the priority of the incident being accessed. If the user has the "Manager" role and the incident has a priority of "High," the ACL grants access. Otherwise, it denies access to the record.

What is meant by masking?

e.g. When I create a new ACL to specify what a role can do on a specific table, it says that I am masking the old ACL
Masking means to cover something up! In the scenario below the yellow is masking the new ACL


Debug Security Rules  

Green- it passed
Red - it failed
Empty or grey icon - Indicates the ACL evaluation did not need to be performed
A blue checkmark,x, or empty circle - Indicates that the ACL was taken from a cached result of a previous ACL check. The icons mean the same as the above.

What are the 4 ACL checks? These are the checks on that ACL
1. IAccessHandler
2. Roles
3. Condition
4. Script








Comments

Post a Comment

Popular posts from this blog

Email Templates and Emails

 Email Templates and Emails Email Templates Links: To create a link, click on the link icon and in the URL add the link without the instance. e.g. /now/nav/ui/classic/params/target/pm_project.do%3Fsys_id=${sysapproval.sys_id} For approvals it will act on the table: Approval (sysapproval_approver) Use this type of syntax for getting variables when its to do with a Project: ${sysapproval} -> Gives the project number Approval Sys ID: ${sys_id} -> Gives the Approval Sysid ${sysapproval.sys_class_name} -> e.g. "Project" ${URI} -> Takes you to the approval record ${sysapproval.URI} -> Link to the project URL: sysapproval_approver.do?sys_id=${sys_id} Project sysid:  ${sysapproval.sys_id} Subject : ${sysapproval.short_description} Description : ${sysapproval.description} Click here to view Approval Request: ${URI} Click here to view ${sysapproval.sys_class_name}:  ${sysapproval.URI} Priority: ${sysapproval.priority} Category: ${sysapproval.category} Click...
Read more

Arrays

// Single Array - Push single values into an array.  // If there is a field which doenst have a single value but comma seperated values then split it and adds it to the arra y var x = 0; var st = ''; var ar = new Array(); var gr = new GlideRecord('cmdb_ci_service'); gr.addEncodedQuery("u_search_tagsISNOTEMPTY"); gr.query(); while (gr.next()) {   x++;   // gs.print(x + "  " + gr.u_search_tags);  // e.g.  Azure, Joe, Harry, OR Azure   st = gr.u_search_tags;   st = st.replace(/,\s*$/, ""); // Remove the last comma and any spaces if there are any   // Does it have a comma   if (st.indexOf(',') != -1) {     var sts = st.split(',');     for (var i = 0; i < sts.length; i++) {       //gs.print("----  " + x + "  --" + i + "  --" + sts.length + "  " + sts[i]); e..g        ar.push(sts[i]);       if (sts.length - 1 != i) {         x++; ...
Read more

ServiceNow tips

Logging gs.info("JJJJ " + JSON.stringify(taskCreate)); Default columns Go to List Layout Script to pad out a number to 7 digits var z = '' ; var x = 10 ; var gr = new GlideRecord ( "alm_hardware" ); //gr.setLimit(20); gr . query (); while ( gr . next ()){ x ++; z = padDigits ( x , 7 ); z = "R" + z ; gr . asset_tag = z ; gr . update (); //gs.print (z); } gs . print ( "DONE" ); function padDigits ( number , digits ) { return Array ( Math . max ( digits - String ( number ). length + 1 , 0 )). join ( 0 ) + number ; } Quick way to get GlideRecord var grpRec = new GlideRecord('sys_user_group'); grpRec.get(current.group); var grpMgr = grpRec.getValue('manager'); if (grpMgr != gs.getUserID()) { current.setAbortAction(true); gs.addErrorMessage('You must be a Group Manager to add members'); } var msg = gs . getMessage ( 'Hello' ) ; gs . addInfoMessage ( msg ) ; Dates Get the last day of t...
Read more