Users are unable to create a Change request from vulnerability group


Description

"Create Change" UI action has a condition which will check the script include "VulnerabilityUtils" for function "canShowCreateChangeButton". If user has "sn_vul.vulnerability_write" role then it will return true but user want to enable "Create change" UI action for role "sn_vul.remediation_owner" role as well.

A new role was introduced called <sn_vul.remediation_owner> in VR v8

* Users that have this role, will primarily be using the Vulnerability Group and Vulnerable Item records to perform day-to-day tasks, which include creating Change requests from the Vulnerability Group via the UI Action in question.

Users with the <sn_vul.vulnerability_write> role, may perform this function, but likely only for edge cases and not in a day-to-day style – they are not the primary folks who would be doing this

The baseline UI Action for [Create Change] is restricted to users with <sn_vul.vulnerability_write>; this originates from prior versions of the VR product

* After the <sn_vul.remediation_owner> role was introduced in VR v8, the UI Action permissions for [Create Change] should have been updated
* The challenge here is that the UI Actions permissions, calls an additional Script Include
* We can make the cloned adjustments to the UI Action, and Script Include in the field, but this becomes a customization the customer owns when we leave
* The observation is this should be part of the native VR app, and not a customization we introduce for customers
* Every VR customer will naturally want their Remediation Users, to have the ability to create a Change Request

Previously, we did not have the <sn_vul.remediation_owner> role – this is new for VR v8.

* Users with this role can see / update Vulnerable Items and Vulnerability Groups that are assigned to their Team
* Part of this experience requires that users with this role, have the permissions to create a Change request from a Vulnerability Group
* These "Remediation Users" are the primary audience of the work, and require the ability to click the "Create Change" UI Action

Resolution

As a Change Request Enhancement in Orlando, we have marked users with 'itil' role (that is by default required to create change) to view the 'Create Change' UI Action.
And also, the itil role contains 'sn_vul.remediation_owner'.

Hence, the users with the role 'sn_vul.remediation_owner' will be able to view the action 'Create Change'.

But for now, as a workaround, the customers will have to customize the script include 'VulnerabilityUtils'.

 

Please find below alternate workaround to customizing the ‘VulnerabilityUtils’ Script Include:

--Clone the Out of box UI Action, and created a custom script include to do the permission check
--Once you upgrade to the next version, you can disable the custom UI Action and move forward with the new baseline UI Action