Securing The Activity Formatter (Or Any Formatter For That Matter)

The activity formatter on a form is a great part of ServiceNow. As long as it’s added to the form, and the table is audited, you can get a quick glance of the most important updates.

However, my only issue with it (and it’s my issue with all formatters), is that you can’t apply an ACL to it. For some users, I don’t want them to see it at all, but I don’t want to have to create a custom view just to hide it.

What I did therefore was found a way to apply ACLs to the formatter. This little trick can be used on all formatters.

I created a new UI macro which wraps the original UI macro in security code. Simple enough solution. What it looks like in practice is this

<?xml version="1.0" encoding="utf-8" ?>
<j:jelly trim="false" xmlns:j="jelly:core" xmlns:g="glide" xmlns:j2="null" xmlns:g2="null">
<g2:evaluate jelly="true" var="jvar_can_access" expression="
//Use whatever security rule you want in here
var access = 'false';
var gr = new GlideRecord('hr_case');
gr.addQuery('sys_id', jelly.jvar_form_sys_id);
if ( {
//Use whatever security rule you want in here
access = gr.canWrite();
<j2:if test="$[jvar_can_access == 'true']">
<g:inline template="activity.xml"/>

Then turn this UI macro into a formatter using the normal functionality and add the formatter to the form.

Now if you have access to the formatter, the activity UI macro will show up as normal. If you don’t, it won’t be displayed at all and the user will be none the wiser.

You can use this little trick with any UI macro you like, by changing the inline template tag.

1 Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.