Notifications

2 views

Description

Issue:
Non Role user can open an incomplete incident from the Service Portal

Steps to Reproduce:
- Log into instance
- Impersonate as user with read only roles
- Go to URL: https://<instance_name>.service-now.com/sp/?id=form&table=incident&filter=active%3Dtrue&sys_id=-1&v=
- Notice user is able to submit incident

Cause

Most Probable Cause:
- User doesn't have any roles assigned.
- Checked the create ACL on incident table and there is no restriction added for any roles. (https://<instance_name>.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=80a7a096c0a8016662c872762163bbdc)

Resolution

If you want to make incident form read only on the portal for the user : create a role and assign to the user.
On the create ACL above, you need to add a script check if the user has the new created role and set the answer to false. (https://<instance_name>.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=80a7a096c0a8016662c872762163bbdc)
Example code below:

[code]<pre><code>answer = true;<br/>if (gs.hasRole('new_restriced_role'))<br/> answer = false;<br/>if(pm.isActive('com.snc.incident.mim') &amp;&amp; current.major_incident_state == 'accepted'){<br/> if(gs.hasRole('major_incident_manager'))<br/> answer = true;<br/> else<br/> answer = false;<br/>}<br/></code></pre>[/code]

 

You can go to the Portal and check now, "save" button will be hidden restricting the user to submit incident.

Article Information

Last Updated:2019-11-14 20:21:58
Published:2019-11-15