Home Cireson Uploads
image


IT Monkey will place code here as examples of what Cireson's consulting team has to offer as well as examples for public consumption to benefit the Microsoft System Center community as a whole.

DISCLAIMER

All files and projects located here come as is and without any warranty or support. We will attempt to improve the projects as time goes on based on customer and community demand. Comments and improvements are welcome as well as customization requests. Your use of these Cireson Uploads is subject to our Terms of Use.


Cireson's support team has no information on these projects outside of what you have available and will not provide support for these enhancements, extensions, and scripts.

Dont forget to checkout solutions uploaded by our customers, partners and community members here.

Only Allow Reviewers To Approve Review Activities

Geoff_RossGeoff_Ross Cireson Consultant O.G.
edited October 2016 in Cireson Uploads
Hi,

This is a Cireson Portal extension to try and get around the issue where a user can approve an RA where they are not an reviewer. The code checks the reviewer list, enumerates members of any AD Groups that are reviewers and if the current user is not in that list, the Approve and Reject buttons are disabled.

With this applied and logged on as me, I can still approve my own RA.



However when I open an RA where I am not a reviewer, (NB: I am a Portal Analyst and even a SCSM Admin)


the button are disabled.

I hope this helps with this issue, and feedback welcome as always and please re-upload any improvements you make to it.

Kudos to @joivan_hedrick for this one.

Geoff

Comments

  • Conner_WoodConner_Wood Customer Ninja IT Monkey ✭✭✭✭
    Very neat extension to the Cireson Portal being able to Lock Down the Review in a Review Activity To ONLY THE Assigned Reviewer of the Review.  I'm sure with a small code tweak you could exclude certain groups from having the button disabled as well, such as the "AnalystsADGroup" or a group for being an Admin of the RAs.
  • David_AllenDavid_Allen Partner Advanced IT Monkey ✭✭✭
    Great extension, Geoff!  Thank you!
  • Jonathan_BolesJonathan_Boles Customer Ninja IT Monkey ✭✭✭✭
    @Geoff_Ross, this is absolutely perfect - one (hopefully quick) question - Is it possible to add-in a security group for lets say a Change Manager that would have the ability to approve/reject in the event the listed approver is unavailable to approve themselves?
  • Konstantin_Slavin-BoKonstantin_Slavin-Bo Customer Ninja IT Monkey ✭✭✭✭
    edited November 2016
    I haven't tested this, but you should be able to do something along these lines: In OnlyAllowReviewersToReviewActivities.js in the GetActivityElementsFromViewModelActivities() function (line 208), add an if-statement, which checks whether the user is a member of your Change Managers group, e.g.:

    line 238: // Finally, check if the user is member of the ChangeMangers group<br>line 239: if(strLoggedInUserGroups.indexOf("DOMAIN\\ChangeManagers") > -1) {<br>line 240: &nbsp; divElementToReturn.userCanReviewThisActivity = true;<br>line 241: &nbsp;&nbsp;&nbsp; break;<br>line 242: }

    This should ensure, that if the logged on user is a member of that group, they will be able to approve or reject any activity.
  • PIERRE-LOUIS_DURRISPIERRE-LOUIS_DURRIS Customer Advanced IT Monkey ✭✭✭
    @Geoff_Ross Great function. I'll test it on our development environment.
  • Leigh_KildayLeigh_Kilday Member Ninja IT Monkey ✭✭✭✭
    I haven't tested this, but you should be able to do something along these lines: In OnlyAllowReviewersToReviewActivities.js in the GetActivityElementsFromViewModelActivities() function (line 208), add an if-statement, which checks whether the user is a member of your Change Managers group, e.g.:

    line 238: // Finally, check if the user is member of the ChangeMangers group<br>line 239: if(strLoggedInUserGroups.indexOf("DOMAIN\\ChangeManagers") > -1) {<br>line 240: &nbsp; divElementToReturn.userCanReviewThisActivity = true;<br>line 241: &nbsp;&nbsp;&nbsp; break;<br>line 242: }

    This should ensure, that if the logged on user is a member of that group, they will be able to approve or reject any activity.

    @Konstantin_Slavin-Bo, this worked perfectly. Thanks!
  • Tim_ShackletonTim_Shackleton Customer IT Monkey ✭
    This also works for groups as reviewers too! Fantastic!
  • Tuan_LuuTuan_Luu Customer IT Monkey ✭

    Is this V8 approval page compatible?   

  • Eric_KrasnerEric_Krasner Customer Advanced IT Monkey ✭✭✭
    I pop in the above code on line 238 and while I can vote if I am the reviewer and I cannot vote if I am not the reviewer (this works great), I can't review someone else's review when I am a member of the group listed in the above code.  Am I missing something else?
  • Eric_KrasnerEric_Krasner Customer Advanced IT Monkey ✭✭✭
    so i believe the issue to be getting group membership.  It doesn't matter what group I am in, if that group is listed as a reviewer, I still cannot vote.  Are there special permissions needed to do the call to get group membership?

  • Leigh_KildayLeigh_Kilday Member Ninja IT Monkey ✭✭✭✭
    Not 100% sure, but I'm using a group already enumerated by the Cireson Cache Builder and it works.
  • Brad_McKennaBrad_McKenna Customer Advanced IT Monkey ✭✭✭
    I had a similar issue traced it back to ensure to enter the correct group name for line 239.

    My suggestion is to add the following to line 202, which will provide you the groups that the logged in user is a member of. Allowing to identify how the group is displayed, then validate it matches the value you are using in line 239.

    console.log("Logged in User Groups: " + session.user.ReviewActivityGroups)
  • Eric_KrasnerEric_Krasner Customer Advanced IT Monkey ✭✭✭
    Stupid question as I am still trying to get this to work properly, in the example above, 
    line 239: if(strLoggedInUserGroups.indexOf("DOMAIN\\ChangeManagers") > -1) <span>{</span>
    do I need to change DOMAIN to my domain?
  • Brad_McKennaBrad_McKenna Customer Advanced IT Monkey ✭✭✭
    Stupid question as I am still trying to get this to work properly, in the example above, 
    line 239: if(strLoggedInUserGroups.indexOf("DOMAIN\\ChangeManagers") > -1) <span>{</span>
    do I need to change DOMAIN to my domain?

    Yes Eric, you will need to change domain to your domain name.

    If you continue to have issues, see my note above that can aid in identify the appropriate group syntax for your  environment.

  • Eric_KrasnerEric_Krasner Customer Advanced IT Monkey ✭✭✭
    I still can't get this to work.  Is the correct syntax Domain\\GroupName with double back-slashes?

  • Eric_KrasnerEric_Krasner Customer Advanced IT Monkey ✭✭✭
    OK, after extensive testing, here is my current situation

    1. The approve all / reject all buttons do not show - Good
    2. If I am not the named review, I cannot approve/reject - Good
    3. If I am the named reviewer, I can approve/reject - Good
    4. If I am in a group that is the named reviewer - I cannot approve/reject - Bad
    5. If I am in the GlobalApprover group (from above), I cannot approve/reject - Bad

    I have sync'd AD Groups to no avail.
    What am I missing?

  • Brad_McKennaBrad_McKenna Customer Advanced IT Monkey ✭✭✭
    Eric, have you tried troubleshooting with the notes I reference above?

    Essentially throw the AD groups to console, where you can
  • Eric_KrasnerEric_Krasner Customer Advanced IT Monkey ✭✭✭
    Yes I did, with no change in the outcome.
  • Konstantin_Slavin-BoKonstantin_Slavin-Bo Customer Ninja IT Monkey ✭✭✭✭
    @Eric_Krasner
    Could you please post the output of the code from Brad? It would help us identify the group and format, which needs to be added.
  • Jay_RhotenJay_Rhoten Customer IT Monkey ✭
    I'm interested in supporting read-only access to Service Requests and after reading the threads, it seems that this feature request hasn't been fulfilled? I'd rather not hack the code to widen visibility, is the alternative offering console access to end-users?
  • Conner_WoodConner_Wood Customer Ninja IT Monkey ✭✭✭✭
    @Jay_Rhoten I believe what you're asking for could be done through the editing of the Cireson Portal form template

    You could do that by copying over ServiceRequest.js from "C:\inetpub\CiresonPortal\Scripts\forms\templates" and pasting it inside "C:\inetpub\CiresonPortal\CustomSpace".

    Then you can create your own section and name it something like "ReadOnlyForm" with all the fields you want displayed and setting them with "Disabled:true"

    Then in the portal as admin you go to Admin Settings and under the "Assign forms to active directory groups" section you specify which AD group you'd like to target, then for Form ID you'd use "ReadOnlyForm" and also figure out what type projection GUID will get you all the fields you wish to display.



    You'll need to find out the name/ID of the TypeProjection in your MP that you want to use and then use something like powershell to get the GUID it has when imported.

    Ex.  
    Service Request Type Projection
    
    (Get-SCSMTypeProjection -Name "SHR.WebPortalServiceRequestProjection").Id
    #-----> Returns the GUID == 6b765aff-3243-bda7-7ae2-338671579642
    <br>(Get-SCSMTypeProjection -Id "6b765aff-3243-bda7-7ae2-338671579642").Name
    #-----> Returns the ID/Name == SHR.WebPortalServiceRequestProjection<br><br>

    Note:  I created a SCSM Reviewer Portal but that's about reviews and displaying some basic information from a SR/CR.  Good news is source code is included, so you can use Visual Studio 2015 Web Express or something similar to change the portal if needed.
  • Robin_WaarsenburgRobin_Waarsenburg Customer IT Monkey ✭
    edited April 2019
    A user can still 'approve' his own request by changing the approval condition to 'Automatic'. The activity will be approved after saving it. 
    We have hidden this field altogether by modifying the review-activity.html file. This file gets overwritten with each update of the portal. Will it be possible to use these files in the customspace folder in the future or is there another / easier way?

    I don't know in which case an end user should be able to modify a review activity at all, at least in our environment. Haven't tried the solution in the post above. That might help. 
  • Eric_EvansEric_Evans Member IT Monkey ✭

    I am having an issue with this as well, I used the "console.log("Logged in User Groups: " + session.user.ReviewActivityGroups)" bit and got that I am a part of AD\IT - SM Change Management group.


    However, when I insert

    // Finally, check if the user is member of the ChangeMangers group
                                           if(strLoggedInUserGroups.indexOf("AD\IT - SM Change Management") > -1) {
                                                   console.log("tis right")
                                                   divElementToReturn.userCanReviewThisActivity = true;
                                                   break
                                                   
                                           }
    

    I get nothing. so I put in "console.log("tis right")" just to see if it was getting to that point, and it is not.


    What could I possibly be doing wrong?

  • Shane_WhiteShane_White Cireson Support Super IT Monkey ✭✭✭✭✭

    Hi @Eric_Evans

    Out of curiosity does this work?

    if(strLoggedInUserGroups.indexOf("AD\\IT - SM Change Management") > -1) {
                                                   console.log("tis right")
                                                   divElementToReturn.userCanReviewThisActivity = true;
                                                   break
                                                   
                                           }
    

    I think you need to escape the backslash with another backslash so it uses it in the string.

    Thanks,

    Shane

  • Eric_EvansEric_Evans Member IT Monkey ✭

    Yes! That was the ticket! thank you so much!

  • Shane_WhiteShane_White Cireson Support Super IT Monkey ✭✭✭✭✭

    No worries :-)

  • Jillian_HillJillian_Hill Customer IT Monkey ✭

    Hello, I'm rather new when it comes to working on the portal customizations. I wanted to ask, how do I get the Approve All/Reject All to not show up on the RAs in the portal? Thanks :)

  • Geoff_RossGeoff_Ross Cireson Consultant O.G.

    Hi @Jillian_Hill

    Welcome to Cireson Portal Customising.I saw you just completed the Portal eLearning course too. Great work!

    Happy to get into this and explain, but if you can wait a week or so, we're actually working on an update to this code which will be easier to implement.

    Geoff

  • Jillian_HillJillian_Hill Customer IT Monkey ✭

    Thank you! I'm trying increase my knowledge so I can maximize the potential of the Cireson apps and portal in my organization (job security, am I right? lol). I'll keep a lookout for that update.

Sign In or Register to comment.