Skip to main content

Prevent admin from overriding UI action conditions

 I have observed that the requires roles is automatically overridden by the admin role

to get around this:

- if the ui action (such as on sysapproval_approver) has an entry with requires roles = admin only (for example UI action with sys id 82183da3c3511200f7d1ca3adfba8f21), just disable it or replace with security_admin instead for elevated roles


- if the ui action as in the case of a custom button has something like this the admin role will automatically override it seems. Same applies to the condition field using gs.hasRole



to get around this, use one of these variants in the server script on the UI action to either allow security_admin only access or no access for admins:

//allow security admin access var sAllRoles = gs.getUser().getRoles(); var iChgAdm = sAllRoles.indexOf('change_manager'); var iCatAdm = sAllRoles.indexOf('catalog_admin'); var iSecAdm = sAllRoles.indexOf('security_admin'); if (iChgAdm < 0 && iCatAdm < 0 && iSecAdm < 0) { gs.addErrorMessage('you do not have the role'); action.setRedirectURL(current); return false; } //Or to remove altogether from admins use this script var sAllRoles = gs.getUser().getRoles(); var iChgAdm = sAllRoles.indexOf('change_manager'); var iCatAdm = sAllRoles.indexOf('catalog_admin'); var iSAdm = gs.hasRole('admin'); if (iChgAdm < 0 && iCatAdm < 0 && iSAdm > 0) { gs.addErrorMessage('you do not have the role'); action.setRedirectURL(current); return false; }

Comments

Popular posts from this blog

Get URL Parameter - server side script (portal or classic UI)

Classic UI : var sURL_editparam = gs . action . getGlideURI (). getMap (). get ( ' sysparm_aparameter ' ); if ( sURL_editparam == 'true' ) { gs . addInfoMessage ( 'parameter passed ); } Portal : var sURL_editparam = $sp . getParameter ( " sysparm_aparameter " ); if ( sURL_editparam == 'true' ) { gs . addInfoMessage ( 'parameter passed ); }

ServiceNow check for null or nil or empty (or not)

Haven't tested these all recently within global/local scopes, so feel free to have a play! option 1 use an encoded query embedded in the GlideRecord , e.g.  var grProf = new GlideRecord ( 'x_cls_clear_skye_i_profile' ); grProf . addQuery ( 'status=1^ owner=NULL ' ); grProf . query (); even better use the glideRecord  addNotNullQuery or addNullQuery option 2 JSUtil.nil / notNil (this might be the most powerful. See this link ) example: if ( current . operation () == 'insert' && JSUtil . notNil ( current . parent ) && ! current . work_effort . nil ())  option 3 there might be times when you need to get inside the GlideRecord and perform the check there, for example if the code goes down 2 optional routes depending on null / not null can use gs.nil : var grAppr = new GlideRecord ( 'sysapproval_approver' ); var grUser = new GlideRecord ( 'sys_user' ); if ( grUser . get ( 'sys_id' , current . approver )){