Notifications

95 views

Description

Scoped read ACL on [sys_report] created by the Content Automation plugin (com.sn_content_automation) throws an exception which is visible in the [syslog] table.

ACL: /sys_security_acl.do?sys_id=67c75eb9e70223008901268b03f6a9b4

Steps to Reproduce

On an instance with the Content Automation plugin (com.sn_content_automation) enables:

  1. Have a user with the 'report_user' role and belonging to a specific Group.
  2. Create a report as an admin user and update the sharing settings to Group and Users
    • Select the group the user belongs to (the group from step 1).
  3. Navigate to 'sys_report.list' in the Filter Navigator.
  4. Filter the list to show the records where [User] [is] [group]
  5. Enable Debug Security, Debug Scopes, and Debug Log.
  6. Impersonate the user from step 1.
  7. Make sure to be in the global scope.
  8. Navigate to 'sys_report.list' in the Filter Navigator.
  9. Verify that the report is visible to the user in the list.
  10. Check the logs in the UI by scrolling down.

Actual behavior:

The read ACL on [sys_report] and in the Content Automation scope fails. Additionally, we have the following exception:

other (not gif, sql)08:42:35.429: >> Entering scope [sn_ca]
log08:42:35.435: Evaluator: org.mozilla.javascript.EcmaError: Cannot find function getMyGroups in object com.glide.script.fencing.ScopedUser@1473397. Caused by error in Access Control: 'sys_report' at line 19 16: return false; 17: 18: var myUserId = gs.getUserID(); ==> 19: var grpList = gs.getUser().getMyGroups(); 20: var myGrps = ''; 21: for (var i = 0; i != grpList.size(); i++) { 22: if (i != 0) myGrps += ',';
log08:42:35.437: Evaluator: org.mozilla.javascript.EcmaError: Cannot find function getMyGroups in object com.glide.script.fencing.ScopedUser@1473397. Caused by error in Access Control: 'sys_report' at line 12 9: else if (isGlobal) 10: answer = gs.hasRole(current.roles); 11: else ==> 12: answer = isOneOfMyGroups(); 13: 14: function isOneOfMyGroups() { 15: if (reportUserId != "group")
other (not gif, sql)08:42:35.437: << Exited scope [sn_ca], popped back into [rhino.global]

Expected behavior:

The read ACL on [sys_report] and in the Content Automation scope should not have a call to getUser().getMyGroups();. The exception is thrown since the function call is only available for Global scope.

Workaround

This issue has been fixed. If you are able to upgrade, review the Fixed In or Intended Fix Version fields to determine whether any versions have a planned or permanent fix.


Related Problem: PRB1352846

Seen In

SR - IRM - GRC Profiles - Madrid 2019 Q2
SR - IRM - Policy and Compliance - Madrid 2019 Q2
SR - IRM - Risk Management - New York 2019 Q3
SR - ITOM - CMDB CI Class Models - 201908
SR - ITOM - Discovery and Service Mapping - 201908
SR - ITOM - Discovery and Service Mapping - v1.0.35
SR - SecOps - Configuration Compliance - New York 2019 Q3
SR - Security - Integration Framework - Madrid 2019 Q2
SR - Security - Support Common - Madrid 2019 Q2
SR - Security - Support Orchestration - Madrid 2019 Q2
SR - SIR - Security Incident Response - Madrid 2019 Q2
SR - SIR - Store SecOps Setup Assistant - Madrid 2019 Q2
SR - SIR - Store Threat Core - Madrid 2019 Q2
SR - SIR - Store Trusted Security Circles Client - New York 2019 Q3
SR - SIR - Threat intelligence - New York 2019 Q3
SR - SIR - VirusTotal Integration - New York 2019 Q3
SR - VR - Qualys - New York 2019 Q3
SR - VR - Vulnerability Response - New York 2019 Q3

Intended Fix Version

Orlando

Fixed In

New York Patch 6

Safe Harbor Statement

This "Intended Fix Version" information is meant to outline ServiceNow's general product direction and should not be relied upon in making a purchasing decision. The information provided here is for information purposes only and may not be incorporated into any contract. It is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at ServiceNow's sole discretion.

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2020-01-28 02:07:17
Published:2019-10-24