Restrict ESS or non-role users from navigating to native UI by manipulating the URL


Description

Based on the configurations defined in the SPEntryPage().getFirstPageURL() function, the user will be redirected to the portal or the native UI.

However, if the end user tries to manipulate or modify the URL, they can view the same record in native UI view.

For ex:

Portal Link - https://XXXXX.service-now.com/sp?id=order_status&table=sc_request&sys_id=edc9b3bc1b2d381009486284bb4bcbc7

Now if the end user is manually modifying the URL as below:

Native UI Link - https://XXXXX.service-now.com/sc_request.do&sys_id=edc9b3bc1b2d381009486284bb4bcbc7

or - https://XXXXX.service-now.com/sc_request.do?sys_id=edc9b3bc1b2d381009486284bb4bcbc7

The end user now sees the record in native UI view.

Release or Environment

All supported releases

Cause

Resolution

System does not seem to have control if the nav_to.do is missing from the URL.
The native UI Link mentioned above do not have nav_to.do in the URL.
If nav_to.do is present, system knows where to redirect based on the user role.
Here we can implement a custom Global UI script as below

UI Type: Desktop
Global = true

addLoadEvent(function()
{
if(!g_user.hasRoleExactly('itil') && document.URL.indexOf('.do')!= -1)
{
window.location='/sp';
}
else
{return}

});


The script here checks if the user has 'itil' role or not.
You can replace this role as per your business requirement.
This is not a platform issue. The platform is working as expected here.

Additional Information

The UI script mentioned above is just an idea on how you can approach to mitigate this behavior.
Further customization will be out of scope of support for the technical support department.

Some additional custom validations ideas that you can try in the UI script to check if the URL is a portal URL or not:
- Portal URLs will always have 'id='
- Portal URLs do not have '.do' or '_list.do'
- Use GlideAjax within the UI script to add more server side validations such as member of groups, company etc. Please keep in mind that server side queries can have performance impact on the instance. On how to use GlideAjax in UI script, Click here to know.