Hi @Abigail ,

"I tested this with a user who only has the itil role, and when I impersonate that user, the records are still visible. I need it so that only users with the x_role or the admin role can see those records."

isn't that what you have wanted?

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

Hi @Chaitanya ILCR 

What I need is the following behavior:

• When impersonating a user with the itil role, they should be able to see all change request records except those with the x_type.
• Only users with the x_role should be able to see change requests of type x_type.

However, what’s currently happening is that when I impersonate a user with the itil role, no records are showing at all.

Hi @Abigail ,

try removing the value in the applies to and add the same in the condition field

or use the script by removing the value in condition and applies to fields (keeping Decision type as Deny Unless)

answer = (current.type == 'x_type') && gs.hasRole('x_role');

Please mark my answer as helpful/correct if it resolves your query.

Regards,
Chaitanya

@Abigail in that case I have been understanding it from the other way around:

if (current.type == 'x_type') && gs.hasExactlyRole('itil') {
answer = false; 
} else {
answer = true;
}

Ensure the condition is right current.type == 'x_type' //ensure the field type etc...

Or change the ACL rule with Deny unless 

EDIT: debugging tip, first set one condition only - gs.hasExactlyRole('itil') works or not and then add the other, to go step by step.

PS: it is difference between gs.hasExactlyRole('itil') and gs.hasRole('itil').

If I am an admin:

• gs.hasRole('itil').
  • true
• gs.hasExactlyRole('itil')
  • false