ACL for Problem Record to Block certain country users

Sruthi_2511 · ‎08-10-2025

Here is the requirement:

1.Here is the code snippet ACL I have created for change_request table

var loggedInUser = gs.getUser().getCountry();

var callerCountry = current.requested_by.country;

var locationCountry = current.cmdb_ci.location.country;

if (

loggedInUser == 'BBB' || loggedInUser == 'CCC'

) {

if (callerCountry == 'AAA' && locationCountry == 'AAA') {

answer = false;

} else {

answer = true;

}

} else {

answer = true;

2.I need to build the same ACL for "Problem" but the requirement states:

For Problem records, the restriction is based on two checks:
(i) If the "first_reported_by_task" field is populated and refers to an Incident record, check the caller_id.country of that Incident.
(ii) If the "first_reported_by_task"is not populated, check the opened_by.country on the Problem record.
If either country value is "AAA", users from countries "BBB" or "CCC" should not be able to view the record.

I tried using the same logic as change by dot -walking, but still access is granted. Please help me with this !

Nishant8 · ‎08-11-2025

Hello, could you please try below and share the outcome?

// Get the logged-in user's country
var loggedInUserCountry = gs.getUser().getCountry() + '';
// List of restricted countries
var restrictedCountries = ['BBB', 'CCC'];
// Default allow
answer = true;
// Only apply restriction if user is from restrictedCountries
if (restrictedCountries.indexOf(loggedInUserCountry) > -1) {
    var blockAccess = false;
    var frbt = current.first_reported_by_task;
    if (frbt && frbt.sys_class_name == 'incident' && frbt.caller_id.country.toString() == 'AAA') 
        blockAccess = true;
    // No first_reported_by_task → check opened_by country
    else if (current.opened_by.country.toString() == 'AAA') 
        blockAccess = true;
    if (blockAccess)
        answer = false;
}

Regards,

Nishant

View solution in original post

Bhimashankar H · ‎08-10-2025

Okay, Then try below code snippet.

(function() {

    answer = true;
    var countryUsr = "";
var loggedInUser = gs.getUser().getCountry();
    if (!gs.nil(current.first_reported_by_task)){
        if (current.related_incidents > 0) {
            var gr = new GlideRecord('incident')
            gr.addQuery('problem', current.sys_id)
            if (gr.next()) {
                gr.caller_id //now you got the caller ID
                var g = new GlideRecord('cmn_location')
                if (g.get(gr.location))
                    countryUsr = g.country
            }

        }
		else 
		countryUsr = current.opened_by.country //This is for if "first_reported_by_task" field is populated but no incident record then use the opened by 

	}
    else {
        countryUsr = current.opened_by.country
    }
    //We now have the country code, just check the conditions

    if (countryUsr == "AAA"){
        if(loggedInUser =="BBB" || loggedInUser =="CCC")
             answer = false
   }

})();

Just cross check the variable names and comparison with the literal values.

Thanks,
Bhimashankar H

-------------------------------------------------------------------------------------------------
If my response points you in the right directions, please consider marking it as 'Helpful' & 'Correct'. Thanks!

Nishant8 · ‎08-11-2025

Hello, could you please try below and share the outcome?

// Get the logged-in user's country
var loggedInUserCountry = gs.getUser().getCountry() + '';
// List of restricted countries
var restrictedCountries = ['BBB', 'CCC'];
// Default allow
answer = true;
// Only apply restriction if user is from restrictedCountries
if (restrictedCountries.indexOf(loggedInUserCountry) > -1) {
    var blockAccess = false;
    var frbt = current.first_reported_by_task;
    if (frbt && frbt.sys_class_name == 'incident' && frbt.caller_id.country.toString() == 'AAA') 
        blockAccess = true;
    // No first_reported_by_task → check opened_by country
    else if (current.opened_by.country.toString() == 'AAA') 
        blockAccess = true;
    if (blockAccess)
        answer = false;
}

Regards,

Nishant

Sruthi_2511 · ‎08-12-2025

Hi @Nishant8 , Thank you so much ! It helped.

But I'm unable to open the Incident record in the "first reported by" field.

I have checked the Incident record."User belong to Brazil location only" so BBB should ableto view the Incident righ?

Can you please let me know what is the cause of this. I have attached the screenshot

I have written Before "query" Business Rule:

Please let me know. whether any changes I should make?

(function executeRule(current, previous /*null when async*/ ) {

var loggedInUser = gs.getUser().getCountry();

if (loggedInUser == 'BBB' || loggedInUser == 'CCC' ) {

current.addEncodedQuery('opened_by.country!=AAA^ORfirst_reported_by_task.ref_incident.caller_id.country!=AAA');

}

})(current, previous);

Nishant8 · ‎08-12-2025

Hello @Sruthi_2511, Glad that previous solution helped you.

We configured the previous ACL on problem, which shouldn't cause any problem for Incident records... Do you receive any error while opening the Incident or any security is preventing you to see that Inc record (you missed to attach the screenshot)? Could you please try below once:

- Try to open the same INC record directly and verify whether you open it successfully

- If no error and any ACL is preventing you to open, please review existing ACL

Also, which table this before query BR is configured to run on? I'm not sure what you are trying to achieve with shared BR, but your encodedQuery doesn't seem to be used correctly. If you share exact requirement, probably I can help you write the same.

Regards,

Nishant

Its_Azar · ‎08-12-2025

Hi there @Sruthi_2511

you can’t always dot-walk directly to caller_id.country—you first need to confirm the referenced record type. A practical approach is to check if first_reported_by_task exists, get its referenced record, confirm it’s an Incident, and then pull the caller’s country. If that field isn’t populated, fall back to opened_by.country on the Problem itself. Once you have the target country, simply block access for users from “BBB” or “CCC” if the country matches “AAA.

If this helps kindly accept the solution thanks.

☑️ If this helped, please mark it as Helpful or Accept Solution so others can find the answer too.

Kind Regards,

Mohamed Azarudeen Z

Developer @ KPMG

 Microsoft MVP (AI Services), India