Click Update to return to the Data Policy record.

Once there, click on the Convert this to UI Policy UI Action. You'll be taken to a UI Policy record, created with similar conditions and actions to the Data Policy. Now you just need to add one thing piece to the existing UI Policy Action: Set Visible to True. This way (since Reverse if false is turned on), if Temporary is false, then the expiration date will not be shown.

Finally, repeat these steps for the sys_user_has_role table.

Now that we've ensured that only acceptable data can be entered into the table, we're ready to start building our functionality.

Building the Script Include

The first part of this functionality that we're going to create, is the ability to directly add temporary roles to a given user, or add that user to a group temporarily.

The way we're going to accomplish that, is by eventually having a UI Action on the sys_user table that only Admins can see. This UI action is going to launch a GlideDialogWindow containing a UI Page that will present the Admin with a list of roles or groups depending on their selection.

Then, once they've filled in some roles or groups and an expiration date in the client window, we'll need to submit those selections to a server-side script that'll do the work of actually creating the associations between the user, and the roles/groups selected. To accomplish this, we'll be using GlideAjax. If you haven't read our article on GlideAjax and callback functions, I strongly recommend that you check it out over here.

Start off by navigating to System Definition -> Script Includes, and creating a new Script Include. I've named mine TemporaryPermissions. Make sure you check the Client callable checkbox, and ServiceNow will provide you with a script stub that extends AbstractAjaxProcessor, which is what we need in order to call it using GlideAjax, from a client script (which you may remember from our article on GlideAjax and asynchronous callback functions).

Give the Script Include a nice description, and let's get started!

Here is my code... It's a bit of a beast, but I've tried to document it thoroughly so you can see what's going on in there. You'll also see some notes in the script, that talk about pieces (such as the UI page) that we haven't created yet. Don't worry about those. ;-)

You might also notice that some methods/functions begin with an underscore, whereas others do not. Simply put, functions beginning with an underscore are meant to be called only by other, internal code; not from an external API. These functions are "helper" functions that I can call from other parts of my code, to do little bits of work for me over and over.

Finally, you might notice my use of JSDoc notation in the method descriptions. Terms like "@returns {string}". For more information on JSDoc (which I highly recommend using in any multifunctional code), see here.