Only Allow Reviewers To Approve Review Activities

Geoff_Ross

Hi,

This is a Cireson Portal extension to try and get around the issue where a user can approve an RA where they are not an reviewer. The code checks the reviewer list, enumerates members of any AD Groups that are reviewers and if the current user is not in that list, the Approve and Reject buttons are disabled.

With this applied and logged on as me, I can still approve my own RA.



However when I open an RA where I am not a reviewer, (NB: I am a Portal Analyst and even a SCSM Admin)

the button are disabled.

I hope this helps with this issue, and feedback welcome as always and please re-upload any improvements you make to it.

Kudos to @joivan_hedrick for this one.

Geoff

Conner_Wood

Very neat extension to the Cireson Portal being able to Lock Down the Review in a Review Activity To ONLY THE Assigned Reviewer of the Review.  I'm sure with a small code tweak you could exclude certain groups from having the button disabled as well, such as the "AnalystsADGroup" or a group for being an Admin of the RAs.

David_Allen

Great extension, Geoff!  Thank you!

Jonathan_Boles

@Geoff_Ross, this is absolutely perfect - one (hopefully quick) question - Is it possible to add-in a security group for lets say a Change Manager that would have the ability to approve/reject in the event the listed approver is unavailable to approve themselves?

Konstantin_Slavin-Bo

I haven't tested this, but you should be able to do something along these lines: In OnlyAllowReviewersToReviewActivities.js in the GetActivityElementsFromViewModelActivities() function (line 208), add an if-statement, which checks whether the user is a member of your Change Managers group, e.g.:

line 238: // Finally, check if the user is member of the ChangeMangers group<br>line 239: if(strLoggedInUserGroups.indexOf("DOMAIN\\ChangeManagers") > -1) {<br>line 240: &nbsp; divElementToReturn.userCanReviewThisActivity = true;<br>line 241: &nbsp;&nbsp;&nbsp; break;<br>line 242: }

This should ensure, that if the logged on user is a member of that group, they will be able to approve or reject any activity.

PIERRE-LOUIS_DURRIS

@Geoff_Ross Great function. I'll test it on our development environment.

Leigh_Kilday

Konstantin_Slavin-Bo said:

I haven't tested this, but you should be able to do something along these lines: In OnlyAllowReviewersToReviewActivities.js in the GetActivityElementsFromViewModelActivities() function (line 208), add an if-statement, which checks whether the user is a member of your Change Managers group, e.g.:

line 238: // Finally, check if the user is member of the ChangeMangers group<br>line 239: if(strLoggedInUserGroups.indexOf("DOMAIN\\ChangeManagers") > -1) {<br>line 240: &nbsp; divElementToReturn.userCanReviewThisActivity = true;<br>line 241: &nbsp;&nbsp;&nbsp; break;<br>line 242: }

This should ensure, that if the logged on user is a member of that group, they will be able to approve or reject any activity.

@Konstantin_Slavin-Bo, this worked perfectly. Thanks!

Tim_Shackleton

This also works for groups as reviewers too! Fantastic!

Tuan_Luu

Is this V8 approval page compatible?   

Eric_Krasner

I pop in the above code on line 238 and while I can vote if I am the reviewer and I cannot vote if I am not the reviewer (this works great), I can't review someone else's review when I am a member of the group listed in the above code.  Am I missing something else?

Eric_Krasner

so i believe the issue to be getting group membership.  It doesn't matter what group I am in, if that group is listed as a reviewer, I still cannot vote.  Are there special permissions needed to do the call to get group membership?

Leigh_Kilday

Not 100% sure, but I'm using a group already enumerated by the Cireson Cache Builder and it works.

Brad_McKenna

I had a similar issue traced it back to ensure to enter the correct group name for line 239.

My suggestion is to add the following to line 202, which will provide you the groups that the logged in user is a member of. Allowing to identify how the group is displayed, then validate it matches the value you are using in line 239.

console.log("Logged in User Groups: " + session.user.ReviewActivityGroups)

Eric_Krasner

Stupid question as I am still trying to get this to work properly, in the example above, 

line 239: if(strLoggedInUserGroups.indexOf("DOMAIN\\ChangeManagers") > -1) <span>{</span>

do I need to change DOMAIN to my domain?

Brad_McKenna

Eric_Krasner said:

Stupid question as I am still trying to get this to work properly, in the example above, 

line 239: if(strLoggedInUserGroups.indexOf("DOMAIN\\ChangeManagers") > -1) <span>{</span>

do I need to change DOMAIN to my domain?

Yes Eric, you will need to change domain to your domain name.

If you continue to have issues, see my note above that can aid in identify the appropriate group syntax for your  environment.

Eric_Krasner

I still can't get this to work.  Is the correct syntax Domain\\GroupName with double back-slashes?

Eric_Krasner

OK, after extensive testing, here is my current situation

1. The approve all / reject all buttons do not show - Good
2. If I am not the named review, I cannot approve/reject - Good
3. If I am the named reviewer, I can approve/reject - Good
4. If I am in a group that is the named reviewer - I cannot approve/reject - Bad
5. If I am in the GlobalApprover group (from above), I cannot approve/reject - Bad

I have sync'd AD Groups to no avail.
What am I missing?

Brad_McKenna

Eric, have you tried troubleshooting with the notes I reference above?

Essentially throw the AD groups to console, where you can

Eric_Krasner

Yes I did, with no change in the outcome.

Konstantin_Slavin-Bo

@Eric_Krasner
Could you please post the output of the code from Brad? It would help us identify the group and format, which needs to be added.

Jay_Rhoten

I'm interested in supporting read-only access to Service Requests and after reading the threads, it seems that this feature request hasn't been fulfilled? I'd rather not hack the code to widen visibility, is the alternative offering console access to end-users?

Conner_Wood

@Jay_Rhoten I believe what you're asking for could be done through the editing of the Cireson Portal form template

You could do that by copying over ServiceRequest.js from "C:\inetpub\CiresonPortal\Scripts\forms\templates" and pasting it inside "C:\inetpub\CiresonPortal\CustomSpace".

Then you can create your own section and name it something like "ReadOnlyForm" with all the fields you want displayed and setting them with "Disabled:true"

Then in the portal as admin you go to Admin Settings and under the "Assign forms to active directory groups" section you specify which AD group you'd like to target, then for Form ID you'd use "ReadOnlyForm" and also figure out what type projection GUID will get you all the fields you wish to display.



You'll need to find out the name/ID of the TypeProjection in your MP that you want to use and then use something like powershell to get the GUID it has when imported.

Ex.  

Service Request Type Projection

(Get-SCSMTypeProjection -Name "SHR.WebPortalServiceRequestProjection").Id
#-----> Returns the GUID == 6b765aff-3243-bda7-7ae2-338671579642
<br>(Get-SCSMTypeProjection -Id "6b765aff-3243-bda7-7ae2-338671579642").Name
#-----> Returns the ID/Name == SHR.WebPortalServiceRequestProjection<br><br>

Note:  I created a SCSM Reviewer Portal but that's about reviews and displaying some basic information from a SR/CR.  Good news is source code is included, so you can use Visual Studio 2015 Web Express or something similar to change the portal if needed.

Robin_Waarsenburg

A user can still 'approve' his own request by changing the approval condition to 'Automatic'. The activity will be approved after saving it. 
We have hidden this field altogether by modifying the review-activity.html file. This file gets overwritten with each update of the portal. Will it be possible to use these files in the customspace folder in the future or is there another / easier way?

I don't know in which case an end user should be able to modify a review activity at all, at least in our environment. Haven't tried the solution in the post above. That might help. 

Eric_Evans

I am having an issue with this as well, I used the "console.log("Logged in User Groups: " + session.user.ReviewActivityGroups)" bit and got that I am a part of AD\IT - SM Change Management group.

However, when I insert

// Finally, check if the user is member of the ChangeMangers group
                                       if(strLoggedInUserGroups.indexOf("AD\IT - SM Change Management") > -1) {
                                               console.log("tis right")
                                               divElementToReturn.userCanReviewThisActivity = true;
                                               break
                                               
                                       }

I get nothing. so I put in "console.log("tis right")" just to see if it was getting to that point, and it is not.

What could I possibly be doing wrong?

Shane_White

Hi @Eric_Evans

Out of curiosity does this work?

if(strLoggedInUserGroups.indexOf("AD\\IT - SM Change Management") > -1) {
                                               console.log("tis right")
                                               divElementToReturn.userCanReviewThisActivity = true;
                                               break
                                               
                                       }

I think you need to escape the backslash with another backslash so it uses it in the string.

Thanks,

Shane

Eric_Evans

Yes! That was the ticket! thank you so much!

Shane_White

No worries :-)

Jillian_Hill

Hello, I'm rather new when it comes to working on the portal customizations. I wanted to ask, how do I get the Approve All/Reject All to not show up on the RAs in the portal? Thanks :)

Geoff_Ross

Hi @Jillian_Hill

Welcome to Cireson Portal Customising.I saw you just completed the Portal eLearning course too. Great work!

Happy to get into this and explain, but if you can wait a week or so, we're actually working on an update to this code which will be easier to implement.

Geoff

Jillian_Hill

Thank you! I'm trying increase my knowledge so I can maximize the potential of the Cireson apps and portal in my organization (job security, am I right? lol). I'll keep a lookout for that update.