Notifications

19 views

Description

As per domain separation logic, if the user does not have access to the domain of the current record referenced in a field => The user can see the reference field display value. For example, sees the user name in the Assigned to field. However, it is observed the same is not honoured from Madrid release onwards.

Steps to Reproduce:

in Madrid
1. Create a child domain under TOP/ACME, named ACME-child
2. create a RITM in TOP/ACME/ACME-Child
3. From an existing sysapprover_approval record, export it and modify it to give the RITM's sysID as document ID
4. Also set its approver as ACME ITIL, who is in ACME domain. Set the Domain of this sysapprover_approval itself as TOP/ACME/ACME-Child
5. Import it
6. Go to ACME-Child domain and check the Approvers related list for the RITM, it will show empty user name

Do the same in London, you will see the users' name.

Release or Environment

Madrid and forward

Cause

This is an intended change on the platform. It was added from Madrid to maintain strict treatment of dot-walked values such that users can no longer see any data outside of their configured domain(s). Please note below the current scenarios:

 

When these conditions are met                                                           The user has access to these UI elements
The user has access to the domain of the current record referenced in a field.

The user can:

  • See reference field display value. For example, sees the user name in the Assigned to field.
  • See the related record from the reference icon. For example, sees the user record for the user in the Assigned to field.
  • Select values from any visible domain. For example, can select users from either the SP and ACME domains.
The user does not have access to the domain of the current record referenced in a field. 

The user can:

  • Not see reference field display values. (This is the case if domain separation was activated in Madrid or later releases and the user doesn't have access to the domain of that record.)
  • Only select values from the record's domain. For example, can only select users from the ACME domain.

Resolution

There is no workaround for this, as this is expected behaviour. However, the Development team is working on a configurable solution for this. The idea is to expose reference display values where a given user is not otherwise in the correct domain. The fix for that is not yet finalised in any generally available releases.

Additional Information

Please review NewYork documentation for Domain Scope to know more details on this.

There is still a way to overcome this, which is to set to system property glide.sys.domain.include_domain_condition_on_join to false. However, it is not recommended from  ServiceNow and is strictly forbidden to make a modification. This is also cannot be edited by admin on customer instance, only a maint user likely can change.

Article Information

Last Updated:2019-10-29 07:14:56
Published:2019-10-29