Only Allow Reviewers To Approve Review Activities

Geoff_RossGeoff_Ross Cireson Consultant Super IT Monkey ✭✭✭✭✭
edited October 2016 in Cireson Uploads
Hi,

This is a Cireson Portal extension to try and get around the issue where a user can approve an RA where they are not an reviewer. The code checks the reviewer list, enumerates members of any AD Groups that are reviewers and if the current user is not in that list, the Approve and Reject buttons are disabled.

With this applied and logged on as me, I can still approve my own RA.



However when I open an RA where I am not a reviewer, (NB: I am a Portal Analyst and even a SCSM Admin)


the button are disabled.

I hope this helps with this issue, and feedback welcome as always and please re-upload any improvements you make to it.

Kudos to @joivan_hedrick for this one.

Geoff

Comments

  • Conner_WoodConner_Wood Customer Advanced IT Monkey ✭✭✭
    Very neat extension to the Cireson Portal being able to Lock Down the Review in a Review Activity To ONLY THE Assigned Reviewer of the Review.  I'm sure with a small code tweak you could exclude certain groups from having the button disabled as well, such as the "AnalystsADGroup" or a group for being an Admin of the RAs.
  • David_AllenDavid_Allen Partner Advanced IT Monkey ✭✭✭
    Great extension, Geoff!  Thank you!
  • Jonathan_BolesJonathan_Boles Customer Ninja IT Monkey ✭✭✭✭
    @Geoff_Ross, this is absolutely perfect - one (hopefully quick) question - Is it possible to add-in a security group for lets say a Change Manager that would have the ability to approve/reject in the event the listed approver is unavailable to approve themselves?
  • Konstantin_Slavin-BoKonstantin_Slavin-Bo Customer Advanced IT Monkey ✭✭✭
    edited November 2016
    I haven't tested this, but you should be able to do something along these lines: In OnlyAllowReviewersToReviewActivities.js in the GetActivityElementsFromViewModelActivities() function (line 208), add an if-statement, which checks whether the user is a member of your Change Managers group, e.g.:

    line 238: // Finally, check if the user is member of the ChangeMangers group
    line 239: if(strLoggedInUserGroups.indexOf("DOMAIN\\ChangeManagers") > -1) {
    line 240:   divElementToReturn.userCanReviewThisActivity = true;
    line 241:     break;
    line 242: }

    This should ensure, that if the logged on user is a member of that group, they will be able to approve or reject any activity.
  • PIERRE-LOUIS_DURRISPIERRE-LOUIS_DURRIS Customer Advanced IT Monkey ✭✭✭
    @Geoff_Ross Great function. I'll test it on our development environment.
  • Leigh_KildayLeigh_Kilday Member Ninja IT Monkey ✭✭✭✭
    I haven't tested this, but you should be able to do something along these lines: In OnlyAllowReviewersToReviewActivities.js in the GetActivityElementsFromViewModelActivities() function (line 208), add an if-statement, which checks whether the user is a member of your Change Managers group, e.g.:

    line 238: // Finally, check if the user is member of the ChangeMangers group
    line 239: if(strLoggedInUserGroups.indexOf("DOMAIN\\ChangeManagers") > -1) {
    line 240:   divElementToReturn.userCanReviewThisActivity = true;
    line 241:     break;
    line 242: }

    This should ensure, that if the logged on user is a member of that group, they will be able to approve or reject any activity.

    @Konstantin_Slavin-Bo, this worked perfectly. Thanks!
  • Tim_ShackletonTim_Shackleton Customer IT Monkey ✭
    This also works for groups as reviewers too! Fantastic!
  • Tuan_LuuTuan_Luu Customer IT Monkey ✭

    Is this V8 approval page compatible?   

  • Eric_KrasnerEric_Krasner Customer Advanced IT Monkey ✭✭✭
    I pop in the above code on line 238 and while I can vote if I am the reviewer and I cannot vote if I am not the reviewer (this works great), I can't review someone else's review when I am a member of the group listed in the above code.  Am I missing something else?
  • Eric_KrasnerEric_Krasner Customer Advanced IT Monkey ✭✭✭
    so i believe the issue to be getting group membership.  It doesn't matter what group I am in, if that group is listed as a reviewer, I still cannot vote.  Are there special permissions needed to do the call to get group membership?

  • Leigh_KildayLeigh_Kilday Member Ninja IT Monkey ✭✭✭✭
    Not 100% sure, but I'm using a group already enumerated by the Cireson Cache Builder and it works.
  • Brad_McKennaBrad_McKenna Customer Advanced IT Monkey ✭✭✭
    I had a similar issue traced it back to ensure to enter the correct group name for line 239.

    My suggestion is to add the following to line 202, which will provide you the groups that the logged in user is a member of. Allowing to identify how the group is displayed, then validate it matches the value you are using in line 239.

    console.log("Logged in User Groups: " + session.user.ReviewActivityGroups)
  • Eric_KrasnerEric_Krasner Customer Advanced IT Monkey ✭✭✭
    Stupid question as I am still trying to get this to work properly, in the example above, 
    line 239: if(strLoggedInUserGroups.indexOf("DOMAIN\\ChangeManagers") > -1) {
    do I need to change DOMAIN to my domain?
  • Brad_McKennaBrad_McKenna Customer Advanced IT Monkey ✭✭✭
    Stupid question as I am still trying to get this to work properly, in the example above, 
    line 239: if(strLoggedInUserGroups.indexOf("DOMAIN\\ChangeManagers") > -1) {
    do I need to change DOMAIN to my domain?

    Yes Eric, you will need to change domain to your domain name.

    If you continue to have issues, see my note above that can aid in identify the appropriate group syntax for your  environment.

  • Eric_KrasnerEric_Krasner Customer Advanced IT Monkey ✭✭✭
    I still can't get this to work.  Is the correct syntax Domain\\GroupName with double back-slashes?

  • Eric_KrasnerEric_Krasner Customer Advanced IT Monkey ✭✭✭
    OK, after extensive testing, here is my current situation

    1. The approve all / reject all buttons do not show - Good
    2. If I am not the named review, I cannot approve/reject - Good
    3. If I am the named reviewer, I can approve/reject - Good
    4. If I am in a group that is the named reviewer - I cannot approve/reject - Bad
    5. If I am in the GlobalApprover group (from above), I cannot approve/reject - Bad

    I have sync'd AD Groups to no avail.
    What am I missing?

  • Brad_McKennaBrad_McKenna Customer Advanced IT Monkey ✭✭✭
    Eric, have you tried troubleshooting with the notes I reference above?

    Essentially throw the AD groups to console, where you can
  • Eric_KrasnerEric_Krasner Customer Advanced IT Monkey ✭✭✭
    Yes I did, with no change in the outcome.
  • Konstantin_Slavin-BoKonstantin_Slavin-Bo Customer Advanced IT Monkey ✭✭✭
    @Eric_Krasner
    Could you please post the output of the code from Brad? It would help us identify the group and format, which needs to be added.
  • Jay_RhotenJay_Rhoten Customer IT Monkey ✭
    I'm interested in supporting read-only access to Service Requests and after reading the threads, it seems that this feature request hasn't been fulfilled? I'd rather not hack the code to widen visibility, is the alternative offering console access to end-users?
  • Conner_WoodConner_Wood Customer Advanced IT Monkey ✭✭✭
    @Jay_Rhoten I believe what you're asking for could be done through the editing of the Cireson Portal form template

    You could do that by copying over ServiceRequest.js from "C:\inetpub\CiresonPortal\Scripts\forms\templates" and pasting it inside "C:\inetpub\CiresonPortal\CustomSpace".

    Then you can create your own section and name it something like "ReadOnlyForm" with all the fields you want displayed and setting them with "Disabled:true"

    Then in the portal as admin you go to Admin Settings and under the "Assign forms to active directory groups" section you specify which AD group you'd like to target, then for Form ID you'd use "ReadOnlyForm" and also figure out what type projection GUID will get you all the fields you wish to display.



    You'll need to find out the name/ID of the TypeProjection in your MP that you want to use and then use something like powershell to get the GUID it has when imported.

    Ex.  
    Service Request Type Projection
    
    (Get-SCSMTypeProjection -Name "SHR.WebPortalServiceRequestProjection").Id
    #-----> Returns the GUID == 6b765aff-3243-bda7-7ae2-338671579642
    
    (Get-SCSMTypeProjection -Id "6b765aff-3243-bda7-7ae2-338671579642").Name #-----> Returns the ID/Name == SHR.WebPortalServiceRequestProjection


    Note:  I created a SCSM Reviewer Portal but that's about reviews and displaying some basic information from a SR/CR.  Good news is source code is included, so you can use Visual Studio 2015 Web Express or something similar to change the portal if needed.
Sign In or Register to comment.