Restrict the logged in user to edit the Assignment Group from if he is not part of that group.

VadlamaniJ · ‎03-31-2025

I want to write a write ACl on sys_user_group table , i have stored six assignment groups sys id in system property pipeline_restricted_groups now in acl script i want to write a code to access current session of the current logged in user its userid, all assignment group in the form of sys id. If current logged in user belongs to assignment group which is stored in the system property and if the current logged in user has pipeline_globalAdmin role then the edit button present in the related list of the pipeline assignment group should be displayed or enabled otherwise it should be disabled the edit button should be disabled in pipeline assignment groups for the user if he is not part of restricted groups. i have written code for it but it is not working can anyone please help what are the corrections required in the code.

I have written an ACL on sys_user_group, with write operation and Sys user Role as pipeline_globaladmin

// Get the current user ID
var user = gs.getUser();
var userId = user.getID();

// Get all assignment groups of the current user
var userGroups = [];
var grMembership = new GlideRecord('sys_user_grmember');
grMembership.addQuery('user', userId);
grMembership.query();
while (grMembership.next()) {
userGroups.push(grMembership.group.toString());
}

// Fetch restricted groups from system property
var restrictedGroups = gs.getProperty('pipeline_restricted_groups', '');
var restrictedGroupList = restrictedGroups.split(',');

// Check if user is in any of the restricted groups
var isRestrictedUser = userGroups.some(group => restrictedGroupList.includes(group));

// Check if the user has the pipeline_globalAdmin role
var isGlobalAdmin = user.hasRole('pipeline_globalAdmin');

// Return true if both conditions are met, otherwise false
answer = isRestrictedUser && isGlobalAdmin;

Robert H · ‎04-01-2025

Hello @VadlamaniJ ,

Thanks for the clarification. In this case please note that your Write ACL must be created for the Group Members [sys_user_grmember] table, not the Group [sys_user_group] table, because that's the table that is being updated in that Related List.

Please also note that there might be other Write ACLs for the Group Members present already, and if the current user matches any of them then they will also be allowed to edit the members. For example, there is an OOTB rule that allows users with user_admin role to edit the members of all groups.

Lastly, please note that there is an easier way to check if someone is a member of some group:

gs.getUser().isMemberOf(<sys_id of group>); // returns true or false

Regards,

Robert

View solution in original post

Ankur Bawiskar · ‎04-01-2025

@VadlamaniJ

So basically you will have to create field level WRITE ACL on Group field on Group member table

Advanced script as this

var gr = new GlideRecord("sys_user_grmember");
gr.addQuery("group.sys_id", "IN", gs.getProperty('pipeline_restricted_groups'));
gr.setLimit(1);
gr.query();
if (gr.hasNext() && gs.hasRole('pipeline_globalAdmin')) {
    answer = true;
} else
    answer = false;

OR Another way

You can configure the List Control by right clicking the Related list and use this in the Omit edit condition script field

related list - > configure -> list control

This is just an example, you can do this for your related list. Ensure the field "Omit edit condition" is present on form, if not then add that and then add your script

var gr = new GlideRecord("sys_user_grmember");
gr.addQuery("group.sys_id", "IN", gs.getProperty('propertyName'));
gr.setLimit(1);
gr.query();
if (gr.hasNext() && gs.hasRole('pipeline_globalAdmin')) {
    answer = false; // don't omit
} else
    answer = true; // omit the button

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

View solution in original post

Robert H · ‎03-31-2025

Hello @VadlamaniJ ,

It's not exactly clear what you want to restrict here. Do you want to restrict who can update the Group records themselves, or do you want to restrict who can update one of the related lists on the Group form (e.g. group members, group roles)? In the latter case, which related list?

Also, can you not simply assign the "pipeline_globalAdmin" role to the six authorized groups, or at least some members of of those groups? That would the ACL much simpler.

Regards,

Robert

VadlamaniJ · ‎03-31-2025

Hi @Robert H ,

In the above requirement I have few of the assignment groups which I have stored in system property those are pipeline groups so for one of the group has ' pipeline_globalAdmin' role and I want that logged in user not part of the pipeline assignment groups, if he open any of the pipeline group then in related list 'group members' should not have edit button enabled.

Robert H · ‎04-01-2025

Hello @VadlamaniJ ,

Thanks for the clarification. In this case please note that your Write ACL must be created for the Group Members [sys_user_grmember] table, not the Group [sys_user_group] table, because that's the table that is being updated in that Related List.

Please also note that there might be other Write ACLs for the Group Members present already, and if the current user matches any of them then they will also be allowed to edit the members. For example, there is an OOTB rule that allows users with user_admin role to edit the members of all groups.

Lastly, please note that there is an easier way to check if someone is a member of some group:

gs.getUser().isMemberOf(<sys_id of group>); // returns true or false

Regards,

Robert

VadlamaniJ · ‎04-01-2025

Thank you so much @Robert H i will surely check on this.