I have observed that the requires roles is automatically overridden by the admin role

to get around this:

- if the ui action (such as on sysapproval_approver) has an entry with requires roles = admin only (for example UI action with sys id 82183da3c3511200f7d1ca3adfba8f21), just disable it or replace with security_admin instead for elevated roles

- if the ui action as in the case of a custom button has something like this the admin role will automatically override it seems. Same applies to the condition field using gs.hasRole

to get around this, use one of these variants in the server script on the UI action to either allow security_admin only access or no access for admins:

//allow security admin access var sAllRoles = gs.getUser().getRoles(); var iChgAdm = sAllRoles.indexOf('change_manager'); var iCatAdm = sAllRoles.indexOf('catalog_admin'); var iSecAdm = sAllRoles.indexOf('security_admin'); if (iChgAdm < 0 && iCatAdm < 0 && iSecAdm < 0) { gs.addErrorMessage('you do not have the role'); action.setRedirectURL(current); return false; } //Or to remove altogether from admins use this scriptvar sAllRoles = gs.getUser().getRoles(); var iChgAdm = sAllRoles.indexOf('change_manager'); var iCatAdm = sAllRoles.indexOf('catalog_admin'); var iSAdm = gs.hasRole('admin'); if (iChgAdm < 0 && iCatAdm < 0 && iSAdm > 0) { gs.addErrorMessage('you do not have the role'); action.setRedirectURL(current); return false; }

Haven't tested these all recently within global/local scopes, so feel free to have a play! option 1 use an encoded query embedded in the GlideRecord , e.g. var grProf = new GlideRecord ( 'x_cls_clear_skye_i_profile' ); grProf . addQuery ( 'status=1^ owner=NULL ' ); grProf . query (); even better use the glideRecord addNotNullQuery or addNullQuery option 2 JSUtil.nil / notNil (this might be the most powerful. See this link ) example: if ( current . operation () == 'insert' && JSUtil . notNil ( current . parent ) && ! current . work_effort . nil ()) option 3 there might be times when you need to get inside the GlideRecord and perform the check there, for example if the code goes down 2 optional routes depending on null / not null can use gs.nil : var grAppr = new GlideRecord ( 'sysapproval_approver' ); var grUser = new GlideRecord ( 'sys_user' ); if ( grUser . get ( 'sys_id' , current . approver )){

Classic UI : var sURL_editparam = gs . action . getGlideURI (). getMap (). get ( ' sysparm_aparameter ' ); if ( sURL_editparam == 'true' ) { gs . addInfoMessage ( 'parameter passed ); } Portal : var sURL_editparam = $sp . getParameter ( " sysparm_aparameter " ); if ( sURL_editparam == 'true' ) { gs . addInfoMessage ( 'parameter passed ); }

Call a script include to apply a reference qualifier on a catalog item variable: - variable reference qualifier dependent on another variable selection, in this case a variable referencing sys_user (requested_for) On the catalog item form. variable name to apply ref qual filter : retail_equipment variable reference qualifier (on cmdb table ): javascript : new refqual_functions (). lostStolen_getAssignedCIs (); client-callable script include ( refqual_functions) function : lostStolen_getAssignedCIs : function (){ //--called from variable set client script, for lost/stolen request (service catalog) gs . log ( current . variables . requested_for , 'retail_lostStolen_getAssignedCIs' ); return ( 'install_statusNOT IN8,7owned_by=' + current . variables . requested_for ); //owned_by=1269b79937f1060041c5616043990e41install_statusNOT IN8,7 },