Solved: Re: ACL

Mark Wood · ‎04-01-2025

Hello Team,

I am working on the following requirement:

I have achieved the desired functionality using a client script, but we need to implement an ACL for proper enforcement.

Requirement:
When the Incident State changes to "Resolved," all fields should become read-only, and the "Assignment Group" field should be hidden for all users except the Incident Manager.

Current Challenge:
As an ITIL user, I can still access the fields when the state is "Resolved," likely due to an out-of-the-box (OOTB) ACL. The goal is to ensure that when the state is "Resolved," all fields are read-only, and the "Assignment Group" field is hidden for all logged-in users except the Incident Manager.

How can we achieve this through ACL implementation without touching OOTB ACL?

Vishal Jaswal · ‎04-01-2025

Hello @Mark Wood

1. ACL --> To make all Resolved Incident fields read only

Navigate to All > System Security > Access Control (ACL) > Click New (table name: sys_security_acl)

Validation Results:

itil user before

itil user after ACL:

2. UI Policy --> Show Assignment group field for Resolved Incidents only to users with incident_manager role

NOTE: It is recommended for UI Policy Script to have both Execute if true and Execute if false

Execute if true:

function onCondition() {
    if (!g_user.hasRole('incident_manager')) {
        g_form.setDisplay('assignment_group', false);
    }
}

Execute if false:

function onCondition() {
    if (g_user.hasRole('incident_manager')) {
        g_form.setDisplay('assignment_group', true);
    }
}

Hope that helps!

View solution in original post

Ankur Bawiskar · ‎04-01-2025

@Mark Wood

2 ways

1) ACL approach

you can create a field level READ ACL for Assignment group to show only when State is Not resolved and use role as incident manager

OR

2) use onLoad client script on incident table

function onLoad() {

    var isIncidentManager = g_user.hasRoleExactly('incident_manager');

    // Check if the state is "Resolved"
    if (g_form.getValue('state') == '6') { // Assuming '6' is the value for "Resolved"
        // Make all fields read-only

        var fields = g_form.getEditableFields();
        for (var x = 0; x < fields.length; x++) {
            g_form.setReadOnly(fields[x], true);
        }

        // If the user is not an Incident Manager, hide the "Assignment Group" field
        if (!isIncidentManager) {
            g_form.setDisplay('assignment_group', false);
        }
    }
}

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Ankur Bawiskar · ‎04-01-2025

@Mark Wood

Thank you for marking my response as helpful.

As per new community feature you can mark multiple responses as correct.

If my response helped please mark it correct as well so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

Vishal Jaswal · ‎04-01-2025

Hello @Mark Wood

1. ACL --> To make all Resolved Incident fields read only

Navigate to All > System Security > Access Control (ACL) > Click New (table name: sys_security_acl)

Validation Results:

itil user before

itil user after ACL:

2. UI Policy --> Show Assignment group field for Resolved Incidents only to users with incident_manager role

NOTE: It is recommended for UI Policy Script to have both Execute if true and Execute if false

Execute if true:

function onCondition() {
    if (!g_user.hasRole('incident_manager')) {
        g_form.setDisplay('assignment_group', false);
    }
}

Execute if false:

function onCondition() {
    if (g_user.hasRole('incident_manager')) {
        g_form.setDisplay('assignment_group', true);
    }
}

Hope that helps!

Ankur Bawiskar · ‎04-01-2025

@Vishal Jaswal

the question is about hiding the field.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader