Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

ACL blocked by before query Business Rule

sparkles
Tera Contributor

‎01-26-2025 09:12 AM - edited ‎01-26-2025 09:13 AM

Hello,

 

I created read ACL for stakeholder role to be able to see requested item and catalog task for specific category. I used the Access Analyzer to see why stakeholder can't see the records and got 2 Business Rule causing the issue on requested item and another one on sc_task. Please see below the BR causing the issues:

 

BR #1 on sc_req_item table

// if user does not have itil or any of the sn_request roles
if (!gs.hasRole('itil') && !gs.hasRole("sn_request_read") && !gs.hasRole("sn_request_write") && gs.getSession().isInteractive()) {
    //Get user sys_id and list of their groups
    var u = gs.getUserID();
    var g = getMyGroups();
    //Allow user to see records based on below query.
    //if the user is: part of the assignment group, the requested for, the created by, or is in the watch list.
    var q = current.addQuery('assignment_group', g).addOrCondition('requested_for',u).addOrCondition("watch_list", "CONTAINS", u).addOrCondition("opened_by",u).addOrCondition('request.requested_for', u);
}
 
Br #2: on sys_user_group table
if (!(gs.hasRole("admin") || gs.hasRole("user_admin")) && gs.getSession().isInteractive()) {
  current.addQuery("active", "true");
}
 
 
BR #3 on task:
// if user does not have itil or any of the sn_request roles
if (!gs.hasRole('itil') && !gs.hasRole("sn_request_read") && !gs.hasRole("sn_request_write") && gs.getSession().isInteractive()) {
    //Only show tasks of RITM assigned to their groups.
    var u = gs.getUserID(); //Get the sys_id value of the current user
    var g = getMyGroups(); //Get the list of the current user groups
    var q = current.addQuery('request_item.assignment_group', g).addOrCondition('request_item.requested_for', u).addOrCondition("request_item.watch_list", "CONTAINS", u).addOrCondition('request_item.sys_created_by', u);
}
 
My ACL on both RITM table and task table is:
for users with role cat_Aud_external_change_fulfiller, and condition (cat_item.category=external change) 
 
I would really appreciate the help, I have to get it done soon.
 
Thanks,
S
0 Helpfuls
  • 511 Views
1 REPLY 1

priyatam_pvp
Tera Guru

‎01-26-2025 05:24 PM

If modifying BRs isn’t an option, consider adding a new BR to override the restrictions for your specific role:

if (gs.hasRole('cat_Aud_external_change_fulfiller')) {
// Remove restrictions imposed by other BRs
current.addQuery('cat_item.category', 'external change');
}


0 Helpfuls