ACL on incident table

Go to solution
Chris200
Tera Expert

‎02-26-2025 01:49 PM

On the incident and other forms such as RITM/Catalog Task/Changes ect I have the Department field.  

 

I have a requirement that if the Department is set to certain values, say "ABC" then that record can only be read if the users have a specific role named "u_abc". 

 

I created an ACL on the incident table that is set to 
Type: record
Operation: read
Decision Type: Allow If
Name is Incident[Incident] *
Under conditions I specify the role u_abc. 

Under Data Condition I say Department is ABC.

It shows the number of records matching the condition is 4. 
Then under the script condition I also have:

(function() {
    // Define the allowed department value
    var allowedDepartment = 'ABC';

    // Allow access if the user has the 'u_abc' role and the 'u_department' field matches the allowed value
    if (current.u_department == allowedDepartment && gs.hasRole('u_abc')) {
        return true;
    }
    // Deny access otherwise
    return false;
})();


My problem is that even if a user does not have the role they can still see and interact with the ticket. How can I lock it down?


0 Helpfuls
  • 1,021 Views
1 ACCEPTED SOLUTION

Go to solution
Chris200
Tera Expert
In response to Chris200

‎03-06-2025 09:05 AM

Just to close the loop, I ended up with 9 ACLs + one BR to lock just the incident form enough for our needs.
3 for the main incident form. 
3 for the incident work notes.
3 for the incident task. 
And a BR to copy data from the main incident to the incident task when it was created. 

The three ACLs under each item were:
1 new ACL that setup the role and its permissions that we talked about above.  This was generally the same across all three except the script needed modified slightly for the incident task. We needed to account for it being a level deeper in the structure. We also did logic just to be safe that checked the department value on both the incident task and incident. This was overkill, I think.

For the Incident work notes we also updated the read ACLs for the sn_incident_write role and sn_incident_read roles putting exception in the Data Condition for Department IS NOT xyz. 

For the Incident task we also updated the read ACLs for the ITIL role and sn_incident_read roles putting exception in the Data Condition for Department IS NOT xyz. 

After putting those in place, everything worked as we wanted it to. I could set the department value on an incident to anything but the department I wanted to lock down and normal ITIL fulfillers could still handle the tickets. If the department was set to the one, I wanted locked, then only those with the correct role could see the tickets. 

After getting all that done, I was on a meeting with some SMEs from ServiceNow regarding ITOM and they brought up that domain separation may accomplish what we're looking to do much better. So we may be moving to that solution. Writing and maintaining so many ACLs for each and every form Incident, Change, RITM, SCTASK, Agile, etc would be a nightmare. 

Fun stuff.
Again, thanks for the feedback and input. You are all great.


View solution in original post

0 Helpfuls
9 REPLIES 9

Go to solution
J Siva
Tera Sage

‎02-26-2025 04:57 PM

Hi @Chris200 ,

I believe there could be other "read" acls which're allowing the users to read the record.

In this scenario, you can try "Deny-unless" ACL. So that it'll be prioritised over the "Allow if" ACLs.

Let me know if you need any help to configure "Deny Unless" ACL.

Thanks,

Siva

0 Helpfuls

Go to solution
AshishKM
Kilo Patron
Kilo Patron

‎02-26-2025 05:14 PM - edited ‎02-26-2025 05:15 PM

Hi @Chris200 ,

You have to apply this read ACL on incident's department field only.

 

Select the Department field for applying this ACL on field level for matching record.

AshishKM_0-1740618782438.png

 

-Thanks,
AshishKM


Please mark this response as correct and helpful if it helps you can mark more that one reply as accepted solution
0 Helpfuls

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron

‎02-26-2025 09:04 PM

@Chris200 

is that department field a string or reference?

if reference then compare sysid

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

Go to solution
Rushi Savarkar
Kilo Sage

‎02-26-2025 09:56 PM

Hello @Chris200 

Please see the screenshots below

RushiSavarkar_0-1740635453283.png

Considered Department is a string field 

RushiSavarkar_1-1740635592421.png

Result:

1. If the department is "ABC", the user with the "u_abc" role can view this field

2. If the department is other than ABC, The user with the "u_abc" role is not able to view this field

 

If it helped, please accept my response as a solution and mark it as helpful

thanks!

If my response helped you, please accept the solution and mark it as helpful.
Thank You!
0 Helpfuls