Securing .list And .do Pages Via ACLs

Within ServiceNow, anyone can go to any table by manipulating the URL or via the navigation menu.

I.E, if you want to go to the incident table, even if you haven’t access to the incident module, you can just:

  1. go directly via the url: https://sn-instance.com/incident_list.do or https://sn-instance.com/incident.do
  2. in the navigation menu search bar, type incident.list or incident.do

Having ACLs in place makes sure that the actions that you don’t want to happen don’t happen (create, write, read, delete). However, what if you just want to stop navigating to that URL in the first place?

You can stop users getting to the page via the navigation menu by editing the ‘NavFilterExtension’ UI Script (it has very good comments in there and easy to edit to do what you want).

I accidentally stumbled across a neater solution, again using ACLs.
Continue reading

Quick Access To Record From List View

When using a reference field, you can hover over the reference icon to view the referenced record as a popover. A few people already know, if you don’t want the popup to disappear as soon as you move your mouse, just pressing the shift key will keep it in place allowing you to scroll.

That one’s been doing the round for a while now, but today a colleague showed me another cool thing with the shift key in Fuji.

From a list view, you can hover over the (i) icon on the row to view the full page form. Holding shift before hovering over the icon will actually render the page fully editable, UI actions and all! Saves a click into the record to update it.

Screen Shot 2015-08-11 at 12.55.43

Tip For Creating Complex Before Query Business Rules

Before query business rules are great! I absolutely love them and use them all the time.

Sometimes though, I do find myself getting into a bit of a twist with the logic in the code.

Before I show you what I do now to overcome it, i’ll quickly explain what a before query business rule is. Put simply, it’s exactly as the name implies. It’s a business rule that runs before querying the database. More specifically, it can add additional query parameters to the search automatically and invisibly to the user.

For example, if a user wants to view all users, they can go to the sys_user table with no query parameters.

The system will essentially do the following code to bring back the results:

var current = new GlideRecord('sys_user');
current.query();

Now, if you want to only allow users to view active users, this is where a before query business rule comes into play. If I gave you the above script and asked you to only return active users, you would amend the code to be:

var current = new GlideRecord('sys_user');
current.addActiveQuery();
current.query();

A before query business rule is no different. You’d create the business rule and add the line current.addActiveQuery() to the body and that’s it (side note, a before query business rule is one where the ‘when’ field is set as before and the ‘query checkbox is ticked’). So essentially, the before query business rule is made to add additional query conditions to the query GlideRecord. The above example can be seen in the business rule called ‘user query’ out of the box on the sys_user table.

Now that’s out of the way, adding a simple parameter like above to a query is simple, but when you have 5/6 different parameters and different conditions for each one, and different values, things gets a little/lot more complicated.

The way I get around that is simple.
Continue reading

Reverting The ‘Modern Cell Coloring’ Back to Pre-Eureka

Having upgraded to Eureka, we’ve had a lot of comments from customers regarding the new field coloring which ServiceNow has introduced.

If you haven’t seen it, here’s a couple of screenshots below which show the before and after:

cellcolour

 

On top is the old style, on the bottom is the new style.

Anyway, as I was saying, a number of customers didn’t like the modern styling because they didn’t think it stood out enough and wanted their field styles to jump out to their users.

Of course, the users could manually click on the cog and untick the modern cell coloring option, but that would mean by default it was switched on. Instead, I came up with an extremely simple script to default the styling to full field coloring when the user logged in.

Continue reading