var answer = getAnswer();
answer;

function getAnswer() {
    gs.info("ACL Check: Starting group check for user: " + gs.getUserName());

    // sys_id of the "Portfolio Manager" group
    var portfolioManagerGroupId = "passing group sys_id";

    var groupIds = gs.getUser().getMyGroups();
    if (!groupIds || groupIds.length === 0) {
        return false;
    }

    if (groupIds.indexOf(portfolioManagerGroupId) !== -1) {
        return true;
    }
    return false;
}

only for contract_rel_ci.*  write operation using below script:

var answer = getAnswer();
answer;

function getAnswer() {
    var portfolioManagerGroupId = "passing group sys_id";

    // Allow if user has the contract_manager role
    if (gs.hasRole("contract_manager")) {
        return true;
    }

    // Allow if user is in the Portfolio Manager group
    var m2m = new GlideRecord("sys_user_grmember");
    m2m.addQuery("user", gs.getUserID());
    m2m.addQuery("group", portfolioManagerGroupId);
    m2m.query();

    return m2m.hasNext();
}

What’s Happening:

• Users with only the contract_manager role: ❌ Cannot create or edit records.
• Users in only the Portfolio Manager group: ❌ Cannot create or edit records.
• If I reactivate the old ACL that only checks for contract_manager role (no script), it works — but then Portfolio Manager group users are still blocked.
• I’ve confirmed:
  • No UI Policies, Client Scripts, or Business Rules are interfering.
  • Fields are not marked read-only in the dictionary.

What I Need Help With:

• Is there something wrong with the script logic or ACL ?
• Why does the scripted ACL fail when the role-based one works?
• Is there a better way to allow access for either a role or a group?

Any help or insights would be greatly appreciated!