Notifications

1700 views

Description

'My Approvals' widget in the Service Portal allows users without the 'approve_user' role to action approvals

The default 'My Approvals' application menu in the regular native platform does check the role and allows only users with the 'approve_user' role access to the 'My Approvals' module. 



Steps to Reproduce

 

The out-of-box 'My Approvals' application module "sys_app_module.do?sys_id=e0f011dbff02110053ccffffffffff9b" checks the 'approve_user' role.
The out-of-box 'Approvals' sp_widget "sp_widget.do?sys_id=f37aa302cb70020000f8d856634c9cfc" does not check user role.
 
As a result, in Service Portal, any no-role user can click on approve or reject buttons to interact with approvals directly on instance.

Workaround

  Modify the Condition field of the SP Menu Item for Approvals (with a url similar to the one below) from the existing value of the condition to add the needed roles to the condition so that Approvals are available to users from Service Portal
>>>>> https://instancename.service-now.com/nav_to.do?uri=sp_rectangle_menu_item.do?sys_id=864aed00d7200200a9ad1e173e24d475 

 

In the native platform, the 'My Approvals' module is configured to allow ITIL or Approver_user roles. 

 

Similar changes would be needed to the condition field of the SP Menu Item for Approvals. 

For example assuming the condition currently has a value 'gs.isLoggedIn()', it would need to be modified to 'gs.isLoggedIn() && (gs.hasRole("approver_user") || gs.hasRole("itil"))' if users with the ITIL role or approver_user role need to have access to Approvals on Service Portal. 


Related Problem: PRB751143

Seen In

There is no data to report.

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2019-05-22 08:57:02
Published:2018-12-10