Restrict the logged in user to edit the Assignment Group from if he is not part of that group.

VadlamaniJ · ‎03-31-2025

I want to write a write ACl on sys_user_group table , i have stored six assignment groups sys id in system property pipeline_restricted_groups now in acl script i want to write a code to access current session of the current logged in user its userid, all assignment group in the form of sys id. If current logged in user belongs to assignment group which is stored in the system property and if the current logged in user has pipeline_globalAdmin role then the edit button present in the related list of the pipeline assignment group should be displayed or enabled otherwise it should be disabled the edit button should be disabled in pipeline assignment groups for the user if he is not part of restricted groups. i have written code for it but it is not working can anyone please help what are the corrections required in the code.

I have written an ACL on sys_user_group, with write operation and Sys user Role as pipeline_globaladmin

// Get the current user ID
var user = gs.getUser();
var userId = user.getID();

// Get all assignment groups of the current user
var userGroups = [];
var grMembership = new GlideRecord('sys_user_grmember');
grMembership.addQuery('user', userId);
grMembership.query();
while (grMembership.next()) {
userGroups.push(grMembership.group.toString());
}

// Fetch restricted groups from system property
var restrictedGroups = gs.getProperty('pipeline_restricted_groups', '');
var restrictedGroupList = restrictedGroups.split(',');

// Check if user is in any of the restricted groups
var isRestrictedUser = userGroups.some(group => restrictedGroupList.includes(group));

// Check if the user has the pipeline_globalAdmin role
var isGlobalAdmin = user.hasRole('pipeline_globalAdmin');

// Return true if both conditions are met, otherwise false
answer = isRestrictedUser && isGlobalAdmin;

Robert H · ‎04-01-2025

Hello @VadlamaniJ ,

Thanks for the clarification. In this case please note that your Write ACL must be created for the Group Members [sys_user_grmember] table, not the Group [sys_user_group] table, because that's the table that is being updated in that Related List.

Please also note that there might be other Write ACLs for the Group Members present already, and if the current user matches any of them then they will also be allowed to edit the members. For example, there is an OOTB rule that allows users with user_admin role to edit the members of all groups.

Lastly, please note that there is an easier way to check if someone is a member of some group:

gs.getUser().isMemberOf(<sys_id of group>); // returns true or false

Regards,

Robert

View solution in original post

Ankur Bawiskar · ‎04-01-2025

@VadlamaniJ

So basically you will have to create field level WRITE ACL on Group field on Group member table

Advanced script as this

var gr = new GlideRecord("sys_user_grmember");
gr.addQuery("group.sys_id", "IN", gs.getProperty('pipeline_restricted_groups'));
gr.setLimit(1);
gr.query();
if (gr.hasNext() && gs.hasRole('pipeline_globalAdmin')) {
    answer = true;
} else
    answer = false;

OR Another way

You can configure the List Control by right clicking the Related list and use this in the Omit edit condition script field

related list - > configure -> list control

This is just an example, you can do this for your related list. Ensure the field "Omit edit condition" is present on form, if not then add that and then add your script

var gr = new GlideRecord("sys_user_grmember");
gr.addQuery("group.sys_id", "IN", gs.getProperty('propertyName'));
gr.setLimit(1);
gr.query();
if (gr.hasNext() && gs.hasRole('pipeline_globalAdmin')) {
    answer = false; // don't omit
} else
    answer = true; // omit the button

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

View solution in original post

Ankur Bawiskar · ‎04-01-2025

@VadlamaniJ

So basically you will have to create field level WRITE ACL on Group field on Group member table

Advanced script as this

var gr = new GlideRecord("sys_user_grmember");
gr.addQuery("group.sys_id", "IN", gs.getProperty('pipeline_restricted_groups'));
gr.setLimit(1);
gr.query();
if (gr.hasNext() && gs.hasRole('pipeline_globalAdmin')) {
    answer = true;
} else
    answer = false;

OR Another way

You can configure the List Control by right clicking the Related list and use this in the Omit edit condition script field

related list - > configure -> list control

This is just an example, you can do this for your related list. Ensure the field "Omit edit condition" is present on form, if not then add that and then add your script

var gr = new GlideRecord("sys_user_grmember");
gr.addQuery("group.sys_id", "IN", gs.getProperty('propertyName'));
gr.setLimit(1);
gr.query();
if (gr.hasNext() && gs.hasRole('pipeline_globalAdmin')) {
    answer = false; // don't omit
} else
    answer = true; // omit the button

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

VadlamaniJ · ‎04-01-2025

Thank you so much @Ankur Bawiskar i have tried implementing this it worked for me.

VadlamaniJ · ‎03-31-2025

Hi @Robert H ,
Good Day!
I have stored 7 assignment group in a system property and one assignment group out of those has 'pipeline_globalAdmin' role , now here i want that whenever user who he is not part of those 7 assignment group tries to open any of the assignment group record then edit button which is present in related list 'group memeber' should not be visible to the user so that he cannot edit the listof group memebers.