Although Access Control Lists (ACLs) provide the most common filters in their conditions, they do not always offer what we need for our applications. Recently, I was trying to create an ACL that let managers see the records of their employees. I wanted a dynamic condition that checked if the record’s user was an employee of the manager. While doing some research, I came across an article that talked about creating a dynamic filter option. In this post, I will expand on those ideas and give a step by step guide that shows how to create a dynamic filter that can be used for ACLs.
Step 1 – Setting up the Dynamic Filter Option
While in the Global scope, navigate to System Definition > Dynamic Filter Options and click New.
The Label is what appears in the condition. Make sure to choose a name that will make sense in the condition statement.
For my dynamic filter, I made a reference to the User table. This just means that the User table is where the ACL will be pulling records from.
I also made sure that the Roles field was set to the manager since that is the only role that this filter applies to.
Step 2 – Script Functions
The Script field contains the name of the function that you are using for your script. For basic filters, you can simply call GlideSystem methods. For more complicated filters, you will want to write your own script and call your function in the Script field.
Step 3 – Reference Script
To make a more complicated filter, you will want to write either a business rule or a client-callable script include. Use the Reference script field to navigate to your script.
The function inside my script include matches the function I used in the previous step.
Now, my dynamic filter knows to look for the getManagedEmployees function inside of the Employee script include.
Dynamic Filter in Action
Hi Aylee,
Great posts, keep them coming!
I noticed you made the script include client callable and extending the AJAX processor. Is there a part of this scenario you didn’t write about? Or was this an accident? Or is this necessary to make it visible inside the filter? I would have thought not, but i’ve never combined the condition filter and a script include like that. I would normally just script the entire thing.
Ben.
Hello Ben,
I tried changing my script include so that it was not client callable and did not extend the AJAX processor. The condition still showed up in the ACL, but the script no longer worked. When I impersonated managers they were not able to see their employees. Additionally, in the ServiceNow documentation it specifically says to use a client-callable script include or a business rule for a scripted dynamic filter.
I hope that helps!
Thanks Aylee.
Hi Aylee,
Thanks for this post, this is a good summarry.
Just a small thing: I think the second screenshot is not the actual script used (looks like Slack integration).
Best
Daniel