Hi,

Recently we had to solve a situation where certain users weren't supposed to see columns in lists based on their company.

Problem: ServiceNow add_to_list ACL operation does not support ACL scripts.

Reason: Security checks initiated in ListMechanic Script Include bypass ACL script(only roles requirements are checked).

Solution:

1. Disable UI Policy hiding the script field in ACL. Name of UI Policy is "Hide Condition and Script for add_to_list ACL".
2. Modify ListMechanic Script Include method applyRules:

applyRules: function(cls, tableName) {

  var avail = cls.getColumns();

  var sm = GlideSecurityManager.get();

  var grs = new GlideRecordSecure(tableName);

grs.query();

grs.next();

  for (var i = 0; i < avail.getSize();) {

      var c = avail.getChoice(i);

      var name = c.getValue();

      var url = "record/" + tableName + '.' + name + "/add_to_list";

      //var canAdd = sm.hasRightsTo(url, null);

      var canAdd = sm.hasRightsTo(url, grs);

      if (canAdd){

          i++;

          continue;

      }

      avail.remove(i);

  }

},

Aknowledgements:

1. Maybe there's a better way to initialize the GlideRecordSecure object without actually having to perform query.
2. I don't know how these modifications will affect our next upgrade.

Cheers,

Stas