Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

ACL for Problem Record to Block certain country users

Go to solution
Sruthi_2511
Tera Contributor

‎08-10-2025 06:04 AM - edited ‎08-10-2025 06:06 AM

Here is the requirement:

1.Here is the code snippet ACL I have created for change_request table

var loggedInUser = gs.getUser().getCountry();

var callerCountry = current.requested_by.country;

var locationCountry = current.cmdb_ci.location.country;

 

if (

    loggedInUser == 'BBB' || loggedInUser == 'CCC'

) {

    if (callerCountry == 'AAA' && locationCountry == 'AAA') {

        answer = false;

    } else {

        answer = true;

    }

} else {

    answer = true;

 

2.I need to build the same ACL for "Problem" but the requirement states:

For Problem records, the restriction is based on two checks:
(i) If the "first_reported_by_task" field is populated and refers to an Incident record, check the caller_id.country of that Incident.
(ii) If the "first_reported_by_task"is not populated, check the opened_by.country on the Problem record.
If either country value is "AAA", users from countries "BBB" or "CCC" should not be able to view the record.

 

I tried using the same logic as change by dot -walking, but still access is granted. Please help me with this !

 

0 Helpfuls
  • 2,438 Views
1 ACCEPTED SOLUTION

Go to solution
Nishant8
Giga Sage
Giga Sage

‎08-11-2025 08:25 AM

Hello, could you please try below and share the outcome?

// Get the logged-in user's country
var loggedInUserCountry = gs.getUser().getCountry() + '';
// List of restricted countries
var restrictedCountries = ['BBB', 'CCC'];
// Default allow
answer = true;
// Only apply restriction if user is from restrictedCountries
if (restrictedCountries.indexOf(loggedInUserCountry) > -1) {
    var blockAccess = false;
    var frbt = current.first_reported_by_task;
    if (frbt && frbt.sys_class_name == 'incident' && frbt.caller_id.country.toString() == 'AAA') 
        blockAccess = true;
    // No first_reported_by_task → check opened_by country
    else if (current.opened_by.country.toString() == 'AAA') 
        blockAccess = true;
    if (blockAccess)
        answer = false;
}

 

Regards,

Nishant

View solution in original post

9 REPLIES 9

Go to solution
GlideFather
Tera Patron

‎08-10-2025 06:33 AM

Hi,

Some ideas - is the location and country populated for test users? There should be fallback in the ACL for a  scenario when user doesn't have that value populated...

 

And for the field Country, the field is country_code - is the value evaluated properly?

 

loggedInUser == 'BBB' || loggedInUser == 'CCC'

versus

loggedInUser == 'sys_id_of_BBB' || loggedInUser == 'sys_id_of_CCC'

 

_____
This reply is 100 % GlideFather and 0 % AI
0 Helpfuls

Go to solution
Sruthi_2511
Tera Contributor
In response to GlideFather

‎08-10-2025 06:59 AM - edited ‎08-10-2025 07:03 AM

Hey @GlideFather , Thank you for reply!.

Yes , I do have value location and country populated. It's working for change _request.I need for this for the Problem table .Here is the code for problem FYI

 

// Get the logged-in user's country
var loggedInUserCountry = gs.getUser().getCountry();

// List of restricted countries
var restrictedCountries = ['BBB', 'CCC'];

// Default allow
answer = true;

// Only apply restriction if user is from restrictedCountries
if (restrictedCountries.indexOf(loggedInUserCountry) > -1) {

var blockAccess = false;
var frbt = current.first_reported_by_task; // Reference field

if (frbt) {
// Check if it’s an Incident record
if (frbt.getTableName() == 'incident') {
var incidentGR = new GlideRecord('incident');
if (incidentGR.get(frbt.toString())) {
if (incidentGR.caller_id.country == 'AAA') {
blockAccess = true;
}
}
}
} else {
// No first_reported_by_task → check opened_by country
if (current.opened_by.country == 'AAA') {
blockAccess = true;
}
}

if (blockAccess) {
answer = false;
}
}

2.I need to build the same ACL for "Problem" but the requirement states:

For Problem records, the restriction is based on two checks:
(i) If the "first_reported_by_task" field is populated and refers to an Incident record, check the caller_id.country of that Incident.
(ii) If the "first_reported_by_task"is not populated, check the opened_by.country on the Problem record.
If either country value is "AAA", users from countries "BBB" or "CCC" should not be able to view the record.

 

This  is the code I have used for my Scenario, still the CCC users can view the AAA record's! Please let me know, any debugging/correction should I do in my code!

0 Helpfuls

Go to solution
Bhimashankar H
Mega Sage

‎08-10-2025 08:01 AM

Hi

 

Your script condition will look like this....

 

(function() {

    answer = true;
    var countryUsr = "";
    if (!gs.nil(current.first_reported_by_task)){
        if (current.related_incidents > 0) {
            var gr = new GlideRecord('incident')
            gr.addQuery('problem', current.sys_id)
            if (gr.next()) {
                gr.caller_id //now you got the caller ID
                var g = new GlideRecord('cmn_location')
                if (g.get(gr.location))
                    countryUsr = g.country
            }

        }
		else 
		countryUsr = current.opened_by.country //This is for if "first_reported_by_task" field is populated but no incident record then use the opened by 

	}
    else {
        countryUsr = current.opened_by.country
    }
    //We now have the country code, just check the conditions

    if (countrUsr == "AAA" || countrUsr == "BBB" || countrUsr == "CCC")
        answer = false

})();

 

Thanks,
Bhimashankar H

 

-------------------------------------------------------------------------------------------------
If my response points you in the right directions, please consider marking it as 'Helpful' & 'Correct'. Thanks!

0 Helpfuls

Go to solution
Sruthi_2511
Tera Contributor
In response to Bhimashankar H

‎08-10-2025 08:43 AM

HI @Bhimashankar H ,

Thank ypu so much or your input!.

The requirement is "CCC" and "BBB" country users , shouldn't able to see the "AAA" country Problem Records. "CCC" and "BBB" users can able to view all other problem records except "AAA" that too based on the condition which I have mentioned below.

 

I tried using the above code in ACL, still "CCC" users can see records of "AAA" users. This is the requirement in detail:

 

2.I need to build the same ACL for "Problem" but the requirement states:

For Problem records, the restriction is based on two checks:
(i) If the "first_reported_by_task" field is populated and refers to an Incident record, check the caller_id.country of that Incident.
(ii) If the "first_reported_by_task"is not populated, check the opened_by.country on the Problem record.
If either country value is "AAA", users from countries "BBB" or "CCC" should not be able to view the record.

 

This  is the code I have used for my Scenario, still the CCC users can view the AAA record's! Please let me know, any debugging/correction should I do in my code! 

0 Helpfuls