20 Replies · Latest reply on Sep 14, 2017 6:43 AM by Dave Smith

    get user role in UI Page

      Hi, I'm trying to create a UI page that has certain fields readonly based on role.  I have the following code in my client script, but I'm getting errors in my console saying gs is not defined and  $(...).ready is not a function.  Can someone help me debug this?  Am I even on the right track?

       

      var roles = [];

      var gr = new GlideRecord('sys_user_has_role'); 

      gr.addQuery('user', gs.getUserID()) ; 

      gr.query(); 

      while(gr.next()) { 

       

      roles.push({

      role : gr.getDisplayValue('role') //Will give the sys_id of the roles 

      });

      }

       

      if (roles.indexOf('admin')) {

      document.getElementById('signature').readonly = true;

      document.getElementById('signature').style.backgroundColor  = '#ddd';

      }

        • Re: get user role in UI Page
          Pradeep Sharma

          Hello David,


          Replace gs.getUserID() with g_user.userID for client side operation.

          GlideUser (g user) - ServiceNow Wiki

          2 of 2 people found this helpful

          - Pradeep Sharma (@sharma_pradeep)
          ServiceNow

          PS: Hit like, Helpful or Correct depending on the impact of the response

          • Re: get user role in UI Page
            fredflintstone

            GlideSystem is not available client side.  You can refer to the client-side API documentation here: https://developer.servicenow.com/app.do#!/api_doc?v=jakarta&id=client

             

            What you should be using is the GlideUser API.  It has a method available called "hasRole" which returns true/false indicating whether the logged in user has the specified role.  So rather than performing a GlideRecord query client-side and building an array of all the roles the user has (which is woeful in terms of performance, btw) you could do something like:

             

            if (g_user.hasRole('admin')) {
                document.getElementById('signature').readonly = true;
                document.getElementById('signature').style.backgroundColor  = '#ddd';
            }
            

             

            [side note: it's also bad practice to do DOM manipulation, but that's another topic]

            • Re: get user role in UI Page
              David Lu

              neither gs.hasRole('admin') or g_user.hasRole('admin') are defined in my console.  I'm also still getting the $(...).ready is not a function error as well.  How do you query a user's roles in a UI Page?

                • Re: get user role in UI Page
                  fredflintstone

                  I just tried using g_user in a UI Page client script and did not get any errors.  It is not available in the Developer console in your browser, but it is available inside a client script field in a ServiceNow instance. 

                   

                  The "$(...)" error sounds unrelated to using g_user.  That seems like an error you're getting due to DOM manipulation so I would recommend against doing that.

                    • Re: get user role in UI Page
                      David Lu

                      hm so strange that the following JS isn't working:

                       

                      if (g_user.hasRole('admin')) {

                          document.getElementById('signature').readonly = true;

                          document.getElementById('signature').style.backgroundColor  = '#ddd';

                      }

                       

                      Do I have to enclose it in an onLoad function?  Do onLoad functions work in UI Pages?

                        • Re: get user role in UI Page
                          fredflintstone

                          Could you post a screenshot of your UI Page configuration?

                           

                          Below is the UI Page I configured in my personal developer instance (Jakarta).  When I call this UI page from a UI action, I get the two alerts shown.

                           

                           

                           

                            • Re: get user role in UI Page
                              David Lu

                              Hi fred, thanks for helping me out.  Sorry, how did you get the alerts from a UI Action?  My code for the UI Page is below:

                               

                               

                              When I "Try It", I see this:

                               

                              I have admin role so theoretically the HR Signature line should be grayed out and readonly, with dave in the input.  The errors noted in my previous post are in my browser console.  Thanks again.

                                • Re: get user role in UI Page
                                  fredflintstone

                                  Happy to help, and sorry if I'm not explaining things clearly.

                                   

                                  I tested the "Try It" button in my personal developer instance and didn't get the alerts - I suspect that button only displays the HTML section but does not execute the client scripts.  To get my alerts, I set up an UI action on the incident table just as a test.  The code I'm using in my UI action is the following:

                                   

                                  function test222() {
                                       var dialog;
                                       try {
                                            dialog = new GlideModal('test222');
                                       } catch(e) {
                                            dialog = new GlideDialogWindow('test222');
                                       }
                                  
                                       dialog.setTitle('test');
                                       dialog.setSize(750,300);
                                       dialog.render();
                                  }
                                  }
                                  

                                   

                                  This UI action is client callable and calls the test222() function onClick.  Using the UI action then calls the UI Page and executes both the HTML and client script.

                                  1 of 1 people found this helpful
                        • Re: get user role in UI Page
                          Dave Smith

                          David Lu wrote:

                           

                          certain fields readonly based on role.     

                          Any reasons an ACL can't be used here?  That's pretty much the standard solution to your problem definition.

                            • Re: get user role in UI Page
                              David Lu

                              Hey Dave, I looked into this briefly, but am a bit confused of how to apply ACL's on specific fields to specific UI Pages.  Is there any material on this?

                               

                              Below is the ACL page I see, but where would we define which UI Page this rule applies to?  I assume if we have specific fields that need to be readonly depending on role, that would have to be scripted as advanced right?

                               

                              Thanks.

                               

                                • Re: get user role in UI Page
                                  Dave Smith

                                  David Lu wrote:

                                   

                                  Hey Dave, I looked into this briefly, but am a bit confused of how to apply ACL's on specific fields to specific UI Pages. Is there any material on this?

                                  Ah... no.. I may have been barking up the wrong tree here.

                                   

                                  If those fields track back to columns in a DB table, then ACLs are your friend.  If they're form fields in a page you've created, that's another matter.

                                   

                                  For what it's worth, g_user.hasRole('admin') is often an invalid test because admin has bypass rights to everything, so it's kinda like a lock asking if they hold a skeleton key.  I'd also recommend testing using non-admin accounts, since all bets are off with admin override.

                                    • Re: get user role in UI Page
                                      fredflintstone

                                      For what it's worth, g_user.hasRole('admin') is often an invalid test because admin has bypass rights to everything, so it's kinda like a lock asking if they hold a skeleton key.  I'd also recommend testing using non-admin accounts, since all bets are off with admin override.

                                      Could you explain this more?  I can't think of any scenarios where g_user.hasRole('admin') would return true for any user that does not explicitly have the admin role.  My understanding was that the admin role can override other roles/ACLs, but other roles/ACLs cannot override admin.  In any case, g_user.hasRoleExactly() ignores the admin override and can be used instead.

                                        • Re: get user role in UI Page
                                          Dave Smith

                                          My interpretation of g_user.hasRole('rolename') is g_user.hasRoleExactly('rolename') || g_user.hasRoleExactly('admin') - having the admin role trumps the test.  Many times I've seen it unnecessarily added to ACLs - the "Admin Override" checkbox deals with that.

                                           

                                          My warning is simply that users holding the admin role tend to have bypass privileges embedded in the platform in many places that using that role for a test gives unexpected results; it's safer to create another role and use that as a privilege that can be bestowed (via group membership, of course) to permit higher levels of access than giving away admin role.  This adheres to the Principle of Least Privilege. 

                                           

                                          Similarly, platform admins don't tend to get involved with the day-to-day BAU activities so it should be considered rare to test if the user happens to hold this role.  Finding a lot of code containing admin checks is indicative of too many users holding this role - and no real security model that honours Separation Of Duties.

                                          1 of 1 people found this helpful
                                        • Re: get user role in UI Page
                                          David Lu

                                          Hey Dave, so are you saying if the UI Page field is connected to a column in a table, then if I change the ACL of that column, it will reflect on the UI Page as well?

                                           

                                          So if I have a table in the background that has a column for HR Signature and Signature of Employee and I connect it to my UI Page, if I change the ACL for HR Signature to only be writeable for admins, if I impersonate someone who does not have admin rights, then the UI Page would show that HR Signature field as readonly?

                                            • Re: get user role in UI Page
                                              Dave Smith

                                              David Lu wrote:

                                               

                                              Hey Dave, so are you saying if the UI Page field is connected to a column in a table, then if I change the ACL of that column, it will reflect on the UI Page as well?

                                              That's my understanding.  Generally security applied at ACL level is reflected in forms, lists and in portal pages - I've no reason to believe UI Pages behave any differently (but YMMV - I'm not clued-up on UI Pages, sorry).

                                              So if I have a table in the background that has a column for HR Signature and Signature of Employee and I connect it to my UI Page, if I change the ACL for HR Signature to only be writeable for admins, if I impersonate someone who does not have admin rights, then the UI Page would show that HR Signature field as readonly?

                                              Yes. I demonstrate this when teaching Sysadmin - I add a read rule against a field requiring the asset role and someone lacking that role finds it not only has vanished from their form/list, but they can't personalise their form/list and add it back in - it's invisible to them.

                                               

                                              Note: again, with the roles, "HR Signature" should have "change" rights for someone with a specific role, not "admin".  Although "admin" can pretty much override anything, from a business point of view you've just delegated out a responsibility to a group of individuals (which may not be their job).  I understand the purpose of hiding it from ordinary users, but also consider whom should see it.

                                               

                                              I'd also recommend creating two users for positive and negative testing then logging in as them.  Impersonation doesn't always work in some cases.