How to Securely Check Another User's Role in ServiceNow Client Scripts
- nathanlee142
- Mar 21
- 4 min read
Updated: Mar 26
When developing within ServiceNow, you might encounter scenarios where you need to determine if a particular user, who isn't the one currently logged in, possesses a specific role. This requirement often arises in client-side scripting to dynamically adjust the user interface or enforce certain behaviors based on the roles of a referenced user. While the intuitive g_user.hasRole() function works perfectly for the current user, checking roles for other users necessitates a different, more secure approach. This article will guide you through the best practice for verifying roles of specific users from your ServiceNow client scripts.
The Challenge: Checking Roles of Non-Current Users Client-Side
Imagine a situation where you are working with a ServiceNow form, and you need to modify the form's behavior based on the roles of a user selected in a reference field. For instance, if a specific approver lacks a certain approval role, you might want to hide or disable certain fields related to the approval process.
The standard client-side function g_user.hasRole('your_role') is designed to check the roles of the currently logged-in user. Directly attempting to use this function to check roles of other users selected on the form will not work as expected and could potentially expose sensitive role information client-side, leading to security vulnerabilities.
The Secure Solution: Leveraging Script Includes and GlideAjax
The recommended and secure method to check if a specific user has a role from a client script involves making a server-side call using a Script Include and GlideAjax. This approach ensures that the role check is performed on the server, where access to user role information is properly controlled.
Here's a step-by-step guide to implement this solution:
Create a Client-Callable Script Include:
Navigate to System Definition > Script Includes and create a new Script Include. Give it a meaningful name, such as UserRoleUtil, and ensure the Client callable checkbox is selected.
Implement the Server-Side Logic:
Add the following code to your newly created Script Include:
var UserRoleUtil = Class.create();
UserRoleUtil.prototype = Object.extendsObject(AbstractAjaxProcessor, {
hasSpecificRole: function() {
var userId = this.getParameter('sysparm_user_id');
var roleName = this.getParameter('sysparm_role_name');
if (!userId || !roleName) {
return false;
}
var gr = new GlideRecord('sys_user_has_role');
gr.addQuery('user', userId);
gr.addQuery('role.name', roleName);
gr.query();
// Must return as a string
// (required when passing the value to the client).
return gr.hasNext().toString();
}
});In this Script Include:
We define a class UserRoleUtil that extends AbstractAjaxProcessor, making it callable from client scripts.
The hasSpecificRole function retrieves the sys_id of the user and the name of the role to check from the parameters passed by the client script.
Finally, it uses a GlideRecord query on the sys_user_has_role table to check whether the specified user has the given role and returns true or false as a string.
Call the Script Include from Your Client Script:
In your client script (for example, an onChange client script on the user reference field), use GlideAjax to call the hasSpecificRole function in your Script Include.
function onChange(control, oldValue, newValue, isLoading, isTemplate) {
if (isLoading || newValue === '') {
return;
}
var userIdToCheck = newValue; // Assuming 'newValue' is the sys_id of
// the user you want to check
var roleToCheck = 'approval_admin'; // Replace with the actual role
// you need to verify
var ga = new GlideAjax('UserRoleUtil');
ga.addParam('sysparm_name', 'hasSpecificRole');
ga.addParam('sysparm_user_id', userIdToCheck);
ga.addParam('sysparm_role_name', roleToCheck);
ga.getXMLAnswer(function(response) {
var userHasRole = response == 'true';
if (!userHasRole) {
// Perform actions if the user does not have the required
// role
g_form.setValue('approvals_field', false);
g_form.setReadOnly('approvals_field', true);
} else {
g_form.setValue('approvals_field', true);
g_form.setReadOnly('approvals_field', false);
}
});
}In this client script:
We create a GlideAjax object, referencing the name of our Script Include (UserRoleUtil).
We add parameters to specify the function to call (hasSpecificRole), the sys_id of the user to check (sysparm_user_id), and the name of the role to verify (sysparm_role_name).
The getXMLAnswer method sends the request to the server and processes the response. The response will be either 'true' or 'false' based on the server-side role check.
We then use this response to implement the desired client-side logic (in this example, setting the 'approvals_field' based on whether the user has the 'approval_admin' role).
Practical Use Cases
This secure method for checking roles of specific users in client scripts can be applied in various scenarios:
Dynamically showing or hiding UI actions based on the roles of a user referenced on the form.
Enabling or disabling form fields depending on the roles of a selected user.
Implementing custom validation rules that depend on the roles of a related user.
Adjusting the user interface elements to provide a tailored experience based on the roles of a referenced individual.
Conclusion: Ensuring Secure Role Verification in Client Scripts
When you need to determine if a specific user (other than the current one) has a particular role within your ServiceNow client scripts, remember that security is paramount. Avoid attempting to directly access this information client-side. Instead, leverage the power of Script Includes and GlideAjax to perform a secure server-side check. This approach ensures the integrity and security of your ServiceNow instance while allowing you to build dynamic and user-friendly applications. By following the steps outlined in this article, you can confidently implement role-based logic in your client scripts, enhancing the functionality and user experience of your ServiceNow solutions.
