
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-28-2025 10:09 AM
Hello Everyone,
I would like to restrict the visibility of the "State = In Progress" option to only ITIL users. I know this can be achieved using Query Business Rules, but I would prefer to implement it using Access Control Rules (ACLs).
Can anyone please guide me on how to achieve this using ACLs, with clear step-by-step instructions?
Thank you in advance for your help!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-28-2025 10:38 AM
Hi @Community Alums ,
you can create a deny unless read acl
as follows
Please mark my answer as helpful/correct if it resolves your query.
Regards,
Chaitanya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2025 10:30 PM
Hi @Community Alums ,
you don't want to see the message "Number of rows removed ..." is it?
then you can go with the query BR
(function executeRule(current, previous /*null when async*/ ) {
// Add your code here
if (gs.hasRole('itil') && !gs.getUser().hasRole(['admin' ]/* exten this array to roles you want to exlude this let's say a incident_manager also contains the itil role */ )) {
current.addQuery('state', '2');
}
})(current, previous);
with script
this will eliminate that message as the server won't send that data where state is not inprogress
query BR vs ACL
A query BR runs before the data is fetched from the server. you can put a filter when a certain condition is met (like in the case only inprogress incidents should be shown when user contains the itil role) the user request data from the server the query br runs and adds a filter the state = inprogress
Deny Unless ACL runs and after the data is fetched and evaluates whether the use have access to the data (deny unless ACL doesn't give the access to the data it just one more additional step that the user must meet the deny unless criteria first and then any one of the allow if acls should give access to the actual data)
in this the itil users already have the read access to the incident records (through OOB Allow if acls) if we have to revoke that access from the users we have to identify all the ACLs that gives access to the user and update them
with deny less we can just check that with one ACLs the users have to meet all the deny unless ACLs first if they fail at least one the access won't be provided to the specified data
Please mark my answer as helpful/correct if it resolves your query.
Regards,
Chaitanya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-28-2025 10:38 AM
Hi @Community Alums ,
you can create a deny unless read acl
as follows
Please mark my answer as helpful/correct if it resolves your query.
Regards,
Chaitanya

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2025 09:59 PM
Thank you, the solution is working fine, but the output is showing differently than I expected. Could you please explain why it is displaying this way?
Also, could you help me understand the difference between a Query Business Rule and a "Deny Unless ACL" in this scenario?
Thanks in advance!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2025 10:30 PM
Hi @Community Alums ,
you don't want to see the message "Number of rows removed ..." is it?
then you can go with the query BR
(function executeRule(current, previous /*null when async*/ ) {
// Add your code here
if (gs.hasRole('itil') && !gs.getUser().hasRole(['admin' ]/* exten this array to roles you want to exlude this let's say a incident_manager also contains the itil role */ )) {
current.addQuery('state', '2');
}
})(current, previous);
with script
this will eliminate that message as the server won't send that data where state is not inprogress
query BR vs ACL
A query BR runs before the data is fetched from the server. you can put a filter when a certain condition is met (like in the case only inprogress incidents should be shown when user contains the itil role) the user request data from the server the query br runs and adds a filter the state = inprogress
Deny Unless ACL runs and after the data is fetched and evaluates whether the use have access to the data (deny unless ACL doesn't give the access to the data it just one more additional step that the user must meet the deny unless criteria first and then any one of the allow if acls should give access to the actual data)
in this the itil users already have the read access to the incident records (through OOB Allow if acls) if we have to revoke that access from the users we have to identify all the ACLs that gives access to the user and update them
with deny less we can just check that with one ACLs the users have to meet all the deny unless ACLs first if they fail at least one the access won't be provided to the specified data
Please mark my answer as helpful/correct if it resolves your query.
Regards,
Chaitanya