Notifications

3 views

Description

You have set up an Order guide with variable fields on your service portal.

The Filter on variable reference field does not apply on the service portal.
Some users e.g. 'nnavet' do not see the application of this filter on the core_company table which is referenced by the variable.

REPRODUCE:

Steps to reproduce:
1-Login backoffice with the admin account " christian_snow SOUTRIC"
2 - Go to the variable "community"
https://agglopaudev.service-now.com/nav_to.do?uri=item_option_new.do?sys_id=419b656cdb46c7403b355a6adc9619b3

3- CLICK the tab " type specifications"
Note the filter conditions set up
4 - then impersonate with the user nnavet on the portal by borrowing his identity
url: https://xxxxx.service-now.com/portail?id=sc_cat_item_guide&sys_id=4e37e239dba37f0072a9323239961964

5 - View the "community" field"

Result : no community appears.
Expected: The reference variable data should display the filtered company data.

Cause

A reference variable references a record in another table. For example, the variable named 'community' references the Company [core_company] table.

There is an Access Control 'core_company', read operation
https://xxxxx.service-now.com/nav_to.do?uri=sys_security_acl.do?sys_id=8109a169c0a801666217a6825787c7ff

model_manager, itil or user_admin role required to read core_company records

Above gives access to the data in the table only for Users with the above role.

I have identified the User nnavet is a User with no roles and has no access to the platform.

As a test, I opened the table 'core_company' in the list view, and applied the same conditions you had used in the variable reference, see url below .
https://xxxxx.service-now.com/core_company_list.do?sysparm_query=u_codeISNOTEMPTY%5Ecountry%3DFrance%5Ecustomer%3Dtrue&sysparm_first_row=1&sysparm_view=

In another tab, I impersonated Christian who is an Admin User with roles, then refreshed the list. You can see that he could access.

I impersonated nnavet (user with no roles) and in the list view I refreshed the list and got the message below
Des contraintes de sécurité empêchent d'accéder à la page demandée.

This confirms the cause of the issue is that the user has no read access to the table 'core_company'.
I can verify the read operation acl is failing for the user.

Resolution



The reported behavior is expected based on the fact that the User has no access to the data in the table and has been restricted by the OOTB security rules.

To fix or change this behavior:
You will need to consider giving the user nnavet the relevant roles to be able to access the table core_company.
Alternatively you may choose to modify the OOB acl to meet your business requirement.


Article Information

Last Updated:2020-03-19 16:22:38
Published:2020-03-19